Merge pull request #172 from ninjadq/add_san_to_cert_as_per_go_upgrade

Update document for internal tls
goharbor · Feb 3, 2021 · ece2a8a · ece2a8a
2 parents 9198e41 + 460b506
commit ece2a8a
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/docs/administration/upgrade/roll-back-upgrade.md b/docs/administration/upgrade/roll-back-upgrade.md
@@ -9,6 +9,10 @@ If, for any reason, you need to roll back to the previous version of Harbor, per
 To roll back from an upgrade, you must have backed up the previous version of Harbor. For information about backing up Harbor before an upgrade, see [Upgrade Harbor and Migrate Data](_index.md).
 {{< /note >}}
 
+{{< note >}}
+Harbor 2.2 is compiled by Golang 1.15 which deprecated self signed certificate without SAN. If you enabled internal TLS and cert files are generated by Harbor prepare script, you must generate the internal certificates again, using command like this `docker run -v /:/hostfs goharbor/prepare:v2.2.0 gencert -p /path/to/internal/tls/cert` The certs generated by the old version prepare script didn't include the SAN extension. If you manage the certs file, make the SAN is included, if not please check [Configure Internal TLS communication between Harbor Component](../../install-config/configure-internal-tls.md). For more information about Go's break please refer [release note of Go 1.5](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151).
+{{< /note >}}
+
 1. Stop and remove the current Harbor service if it is still running.
 
     ```sh

diff --git a/docs/install-config/configure-internal-tls.md b/docs/install-config/configure-internal-tls.md
@@ -17,6 +17,7 @@ Besides, a user can also provide the certs for all components. However, there ar
 
 * First, all certs must be signed by a single unique CA
 * Second, the filename of the internal cert and `CN` field on cert file must follow the convention listed below'
+* Third, because the self signed certificate without SAN was deprecated in Golang 1.5, you must add the SAN extension to your cert files when generating certs by yourself or the Harbor instance will not start up normally. The DNS name in SAN extension should the same as CN field in the table below. For more information please refer to [golang 1.5 release notes](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151).
 
     |name|usage|CN|
     |---|---|---|