Pivotal Knowledge Base

Follow

Docker login cannot Validate Certificate error with VMware Harbor and UAA

Environment

  • Pivotal Container Service (PKS) v1.0.0-build.3
  • VMWare Harbor Registry: v1.4.1-build.1
  • Harbor Authentication Mode: UAA in Pivotal Container Service
  • Docker client: 17.12.0-ce 

Symptom

When using docker client CLI to login to the VMware Harbor Registry's IP address as "$ docker login X.X.X.X" as an example, it fails with the following error:

"cannot validate certificate for X.X.X.X because it doesn't contain any IP SANs   

Cause

The certificate generated for the Harbor VM is generated for the FQDN Hostname of the Harbor instance. As can be seen from Pivotal Cloud Foundry Operations Manager as you navigate to to VMware Harbor Registry from Operations Manager Dashboard like mentioned below:

From Operations Managers Dashboard go to VMware Harbor Registry, then go to Settings, and select General.

The certificate used, can be seen by going to the Operations Manager Dashboard, navigate to VMware Harbor Registry, go to Credentials and select Server Cert Key.

However, you cannot find the IP address the same way.

Resolution

Follow the steps to resolve this issue:

  1. Confirm the FQDN Hostname being used for the Harbor Registry (see above).
  2. Get the correct DNS entry added to your organization's DNS servers. 

If the above is not possible:

Then add an entry to your /etc/hosts file with IP of the Harbor Registry instance

Example

/etc/hosts:

X.X.X.X    FQDN

   3. Now use the FQDN for docker client

$ docker login FQDN

Comments

Powered by Zendesk