Setup Harbor with Let’s Encrypt

Cedric Hopf
The Startup
Published in
4 min readJan 23, 2021

This tutorial provides a step-by-step guide to setup Harbor with a Let’s Encrypt certificate using Certbot

Requirements

  • Linux machine (tested with Ubuntu 20.04)
  • A public domain pointing to your Linux machine
  • Port 80/443 is reachable from the outside
  • Docker
  • Docker Compose

Certbot / Let’s Encrypt

First, we need to install Certbot to create Let’s Encrypt certificates on our machine. On Ubuntu, this can be easily done by using snap:

$ snap install certbot --classic

Afterward, we are able to create a new certificate for our Harbor domain by using the standalone mode of Certbot and add the desired domain as a parameter. When running Certbot for the first time, it will ask for a valid email address and accept the terms of service before creating the certificate.

$ certbot certonly --standalone -d registry.example.com

Once the command has been completed, it should provide us the following output:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/registry.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/registry.example.com/privkey.pem
Your certificate will expire on 2021-04-21. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Finally, we can find the certificate files in the folder of the related domain at /etc/letsencrypt/live.

$ ls /etc/letsencrypt/live/registry.example.comREADME  cert.pem  chain.pem  fullchain.pem  privkey.pem

Harbor

Now we can continue with installing Harbor on the machine. Let’s go to the Harbor GitHub Releases page, download the latest installer and extract the archive:

$ wget https://github.com/goharbor/harbor/releases/download/v2.1.3/harbor-online-installer-v2.1.3.tgz$ tar xvf harbor-online-installer-v2.1.3.tgz

To configure the Harbor instance, we can create a copy of the extracted Harbor configuration template and open it with an editor:

$ cd harbor$ cp harbor.yml.tmpl harbor.yml$ vim harbor.yml

The configuration file provides a lot of properties to configure and customize the Harbor instance. For a minimalistic installation, it’s enough to change the following values:

# Change the hostname to your domain configured earlier
hostname: reg.mydomain.com
# Keep the http and https port configuration, but change the path of
# the certificate files to the Let's Encrypt certificate
http:
port: 80
https:
port: 443
certificate: /your/certificate/path
private_key: /your/private/key/path
# Change the admin password to something more secure
harbor_admin_password: Harbor12345
# Change the database password to something more secure
database:
password: root123

Once the configuration has been adapted, Harbor is ready to be deployed using the install script:

$ ./install.sh...
✔ ----Harbor has been installed and started successfully.----

Finally, let’s open the domain of the Harbor instance in a browser and check the result. We should see the Harbor login page secured by a valid certificate.

Certificate Renewal

Certbot creates a Cronjob/Timer to renew the requested certificates automatically before they expire.

$ systemctl list-timersFri 2021-01-22 07:10:00 CET 5h 57min left Thu 2021-01-21 22:20:02 CET 2h 52min ago snap.certbot.renew.timer     snap.certbot.renew.service

Currently, this renewal will fail, because the Nginx container of Harbor is already using port 80 on the machine. This port is needed by Certbot to renew the existing certificates.

Fortunately, Certbot provides Pre-/Post-Hooks which can be created to stop/start running services before/after renewing the certificates.

These hooks can be created at /etc/letsencrypt/renewal-hooks/{pre|post}. Let’s create a script to stop the Nginx container of Harbor before running the renew task:

$ vim /etc/letsencrypt/renewal-hooks/pre/harbor.shInsert the following content:#!/bin/bash
/usr/bin/docker stop nginx
Make the script executable:$ chmod 755 /etc/letsencrypt/renewal-hooks/pre/harbor.sh

Now we also have to create the post-hook script to copy the new renewed certificates to Harbor’s data directory and start the Nginx container again. Create the post-hook script and add the following content:

$ vim /etc/letsencrypt/renewal-hooks/post/harbor.shInsert the following content:#!/bin/bashcp -f /etc/letsencrypt/live/registry.example.com/fullchain.pem /data/secret/cert/server.crtcp -f /etc/letsencrypt/live/registry.example.com/privkey.pem /data/secret/cert/server.key/usr/bin/docker start nginxMake the script executable:$ chmod 755 /etc/letsencrypt/renewal-hooks/post/harbor.sh

Keep in mind to change the paths according to your setup. The configured data directory for Harbor can be found in the harbor.yml file.

To check if the scripts are configured correctly, we can test the renewing of the certificate by using Certbot’s renew command in dry-run mode. We should see the following output:

$ certbot renew --dry-run...
Running pre-hook command: /etc/letsencrypt/renewal-hooks/pre/harbor.sh
Output from pre-hook command harbor.sh:
nginx
...
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/harbor.sh
Output from post-hook command harbor.sh:
nginx

Now the setup is completed. The Harbor instance should be up and running and the Let’s Encrypt certificate should be automatically renewed.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

The Startup
The Startup

Published in The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +772K followers.

Cedric Hopf
Cedric Hopf

Responses (3)

What are your thoughts?