1.生成证书
可以在任意一台机器上生成(注意时间很重要,很重要,很主要)
vim /etc/pki/tls/openssl.cnf
[ v3_ca ]
subjectAltName = IP:192.168.0.99 #仓库的物理地址
[root@xxxx-test-221 basic-repository.xxxx.com-yuan]# openssl req -nodes -subj "/C=CN/ST=BeiJing/L=ChaoYao/CN=basic-repository.xxxx.com" -newkey rsa:2048 -keyout basic-repository.key -out basic-repository.csr
Generating a 2048 bit RSA private key
..........+++
.............................+++
writing new private key to 'basic-repository.key'
-----
[root@xxxx-test-221 basic-repository.xxxx.com-yuan]# openssl x509 -req -days 3650 -in basic-repository.csr -signkey basic-repository.key -out basic-repository.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=ChaoYao/CN=basic-repository.xxxx.com
Getting Private key
[root@xxxx-test-221 basic-repository.xxxx.com-yuan]# openssl x509 -req -in basic-repository.csr -CA basic-repository.crt -CAkey basic-repository.key -CAcreateserial -out basic-repository.crt -days 10000
Signature ok
subject=/C=CN/ST=BeiJing/L=ChaoYao/CN=basic-repository.xxxx.com
Getting CA Private Key
[root@xxxx-test-221 basic-repository.xxxx.com-yuan]# ls
basic-repository.crt basic-repository.csr basic-repository.key basic-repository.srl
2.拷贝证书并且启动nginx
注意:本实验环境是基于swarm集群环境部署的,首先搭建swarm集群,然后创建swarm network,启动的容器均在swarm network中。(具体步骤见我的博客)
[root@skf-docker-99l xxxx]# pwd
/data/web/xxxx
[root@skf-docker-99l xxxx]# cat public.conf
server {
listen 80;
listen 443 ssl;
server_name basic-repository.xxxx.com;
access_log logs/basic-repository.log main;
#ssl on;
ssl_certificate /data/ssl/basic-repository.crt;
ssl_certificate_key /data/ssl/basic-repository.key;
location / {
proxy_pass https://basic-repository:5000;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@skf-docker-99l xxxx]# cd ../certs
[root@skf-docker-99l certs]# pwd
/data/web/certs
[root@skf-docker-99l certs]# ls
a.key a.pem basic-registry.crt basic-repository.crt registry.crt
a.key.bak a.pem.bak basic-registry.key basic-repository.key registry.key
[root@skf-docker-99l ~]# docker run -d --name nginx --network sk-net -p 80:80 -p 443:443 --restart=always -v /data/web/web/:/data/web -v /data/web/xxxx/:/data/conf/ -v /data/web/certs/:/data/ssl/ basic-repository.xxxx.com/xxxx/nginx:1.16.0
拷贝证书并且启动仓库
[root@skf-docker-99l certs]# cd /data/certs/
[root@skf-docker-99l certs]# ls
a.key a.pem
[root@skf-docker-99l certs]# cd /etc/docker/certs.d/
[root@skf-docker-99l certs.d]# ls
basic-registry.xxxx.com basic-repository.xxxx.com registry.xxxx.com
[root@skf-docker-99l certs.d]# cd basic-repository.xxxx.com/
[root@skf-docker-99l basic-repository.xxxx.com]# ls
basic-repository.crt
[root@skf-docker-99l basic-repository.xxxx.com]#
[root@skf-docker-99l ~]# docker run -d --name basic-repository --restart=always -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/basic-repository.crt -e REGISTRY_HTTP_TLS_KEY=/certs/basic-repository.key --net=sk-net --expose=5000 -v /data/registry:/var/lib/registry -v /data/web/certs:/certs basic-registry.xxxx.com/xxxx/registry:latest
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。