Skip to content

Commit

Permalink
Update document for internal tls
Browse files Browse the repository at this point in the history
As per issue goharbor/harbor#13745

Signed-off-by: DQ <[email protected]>
  • Loading branch information
ninjadq committed Feb 1, 2021
1 parent bcd0b3f commit 38c0210
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
7 changes: 7 additions & 0 deletions docs/administration/upgrade/roll-back-upgrade.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ If, for any reason, you need to roll back to the previous version of Harbor, per
To roll back from an upgrade, you must have backed up the previous version of Harbor. For information about backing up Harbor before an upgrade, see [Upgrade Harbor and Migrate Data](_index.md).
{{< /note >}}

{{< note >}}
Because Harbor 2.2 is compiled by Golang 1.15, you must generate the internal certificates again, using command like this `docker run -v /:/hostfs goharbor/prepare:v2.2.0 gencert -p /path/to/internal/tls/cert
` if you enabled internal TLS and cert files are generated by harbor prepare script. The certs generated by old version prepare script didn't include the SAN extension. If the certs file is managed by yourself, please make the SAN is included, if not please check [Configure Internal TLS communication between Harbor Component

](../../install-config/configure-internal-tls.md) For more information about Go's break please refer [release note of Go 1.5](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151).
{{< /note >}}

1. Stop and remove the current Harbor service if it is still running.

```sh
Expand Down
1 change: 1 addition & 0 deletions docs/install-config/configure-internal-tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Besides, a user can also provide the certs for all components. However, there ar

* First, all certs must be signed by a single unique CA
* Second, the filename of the internal cert and `CN` field on cert file must follow the convention listed below'
* Third, because the self signed certificate without SAN was deprecated in Golang 1.5. For more information please refer to [golang 1.5 release notes](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151). As a result, you MUST add the SAN extension to your cert files when generating certs by yourself. Or the harbor instance will not start up normally. The `DNS` name in `SAN` extertion should the same as `CN` field in the table below.

|name|usage|CN|
|---|---|---|
Expand Down

0 comments on commit 38c0210

Please sign in to comment.