Update CA truststore in Harbor confusion #22465
Description
I have problems installing a new CA root certificate in the Harbor CA truststore and are very confused.
I use Harbor Version v2.13.2-436918f8.
After external Image scanner has changed its SSL certificate (new root CA) we need to update our Harbor CA trust because we get x509 errors when disabling "Skip certificate verification" in image scanner settings in Harbor UI.
I cannot find any good information where we need to put the new root CA file to update the Harbor trust store.
My approaches:
#1 First I overwrote the new rootca file at location trust-certificates/harbor-ca_bundle.crt with the new root CA.
as defined in our harbor.yml:
storage_service:
ca_bundle: /opt/harbor/trust-certificates/harbor-ca_bundle.crt
restarting the harbor docker compose does not change anything.
I think the ca file storage_service.ca_bundle is only used when using prepare or install.sh, but not if we just restart containers, but I dont want to run prepare or install.sh again, only want to restart containers.
#2 Next I copied the new root CA and all new intermediates as a big ca-bundle file to common/config/shared/trust-certificates/, besides the existing cert file in this directory.
After restarting harbor compose and disabling "Skip certificate verification" in image scanner settings in Harbor UI I cannot log in anymore via LDAP (which is also external provider) and also the image scanner not working. Seems harbor cannot handle bit CA bundle files with lots of certs in it.
#3 Next I copied ONLY the new root CA file to common/config/shared/trust-certificates/, again besides the existing cert file in there.
Now I can login again via LDAP and the image scanner is working even under disabling "Skip certificate verification". But now the S3 communication (which is also a external https connection) is broken.
Also in harbor log I see that it correctly "Appends" both certificate files (old root CA and new root CA), btw. the old root CA is still valid.
I checked the docker-compose.yaml, all containers mount common/config/shared/trust-certificates/.
So somehow it does now work for the core container but not registry container.
What I am doing wrong here, is there a dedicated instruction document for updating CA trust in Harbor?
Thank you for your help