Harbor: Custom certs with Notary

Created on 14 Feb 2018 · 3Comments · Source: goharbor/harbor

Hello-

I've been deploying Harbor with Clair and Notary on our Kubernetes cluster, we've got most of the services set up but are really struggling with implementing TLS. We are trying to use custom certs with Notary specifically and getting these logs from notary-server on startup:

```{"level":"info","msg":"Version: 0.5.0, Git commit: ff7a286","time":"2018-02-14T18:28:57Z"}
{"level":"debug","msg":"Trusting 1 certs","time":"2018-02-14T18:28:57Z"}
{"level":"info","msg":"Using remote signing service","time":"2018-02-14T18:28:57Z"}
{"level":"info","msg":"Using mysql backend","time":"2018-02-14T18:28:57Z"}
{"level":"info","msg":"Starting Server","time":"2018-02-14T18:28:57Z"}
{"level":"info","msg":"Enabling TLS","time":"2018-02-14T18:28:57Z"}
{"level":"info","msg":"Starting on :4443","time":"2018-02-14T18:28:57Z"}
2018/02/14 18:28:57 Failed to dial notary-signer:7899: connection error: desc = "transport: x509: certificate signed by unknown authority"; please retry.
{"level":"error","msg":"Trust not fully operational: rpc error: code = 13 desc = connection error: desc = \"transport: x509: certificate signed by unknown authority\"","time":"2018-02-14T18:29:07Z"}
{"level":"error","msg":"Trust not fully operational: rpc error: code = 13 desc = connection error: desc = \"transport: x509: certificate signed by unknown authority\"","time":"2018-02-14T18:29:17Z"}
...


It seems counterintuitive for it to log `Trusting 1 certs` and then follow up with `certificate signed by unknown authority` (which we have seen across the board in some of the other harbor services that we've tried to implement with TLS). Here are my config files:

NOTARY SIGNER
```{
      "server": {
        "http_addr": ":4444",
        "grpc_addr": ":7899",
        "tls_cert_file": "/fixtures/notary-signer/tls.crt",
        "tls_key_file": "/fixtures/notary-signer/tls.key",
        "client_ca_file": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
      },
      "logging": {
        "level": "debug"
      },
      "storage": {
        "backend": "mysql",
        "db_url": "xxx:xxx@tcp(xxx)/notarysigner_prod?parseTime=true",
        "default_alias": "passwordalias1"
      }
    }

NOTARY SERVER
{ "server": { "http_addr": ":4443", "tls_key_file": "/fixtures/notary-server/tls.key", "tls_cert_file": "/fixtures/notary-server/tls.crt" }, "trust_service": { "type": "remote", "hostname": "notary-signer", "port": "7899", "key_algorithm": "rsa", "tls_ca_file": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" }, "storage": { "backend": "mysql", "db_url": "xxx:xxx@tcp(xxx)/notaryserver_prod?parseTime=true" }, "logging": { "level": "debug" }, "caching": { "max_age": { "current_metadata": 300, "consistent_metadata": 31536000 } }, "repositories": { "gun_prefixes": ["docker.io/", "registry:32223/"] } }
we are using the images vmware/notary-photon:server-0.5.1 and vmware/notary-photon:signer-0.5.1
Any help would be appreciated.

arenotary community kinquestion staled

Source

a-kinder

Most helpful comment

I've run into the exact same issue. I'm was initially using a wildcard certificate and I noticed that the request to notary was a call to the k8s service FQDN, which wasn't a SAN on the wildcard cert. I setup a new cert that included the k8s FQDN, but I still see the x509: certificate signed by unknown authority messages. We could really use some better docs on configuring Notary to use custom certificates.

phenixblue on 13 Jun 2019

👍2

All 3 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 7 Oct 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 13 Jan 2019

phenixblue on 13 Jun 2019

👍2

Was this page helpful?

0 / 5 - 0 ratings