Traefik错误转发EOF / Bad Gateway(让我们加密相关)

时间:2018-01-10 17:29:17

标签: ssl docker reverse-proxy lets-encrypt traefik

我试图通过Docker设置Cryptpad,可通过Traefik在公共服务器上访问。我有Traefik设置和Cryptpad,但到目前为止,导航到http://cryptpad.myserver.com(重定向到https,具体配置)我在浏览器中出现Bad Gateway错误,并在treafik容器中出现以下错误&#39 ; s日志:

level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"

此外,另一个可能相关的问题是,似乎我们的加密不能为cryptpad.myserver.commonitor.myserver.com颁发证书(我根据说明配置了证书)这里https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04)。

编辑: Bad Gateway问题似乎源于无法创建有效的证书,因为我可以通过Traefik通过普通HTTP达到Cryptpad(当然,在关闭相关的HTTPS配置之后)。这个问题的标题已经相应编辑,以反映这种关系。

例如,在尝试访问https://monitor.myserver.com时,我在traefik容器的日志中收到以下错误:

time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9080" 
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9443" 
time="2018-01-10T13:53:37Z" level=debug msg="LoadCertificateForDomains [monitor.myserver.com]..." 
time="2018-01-10T13:53:37Z" level=debug msg="Look for provided certificate to validate [monitor.myserver.com]..." 
time="2018-01-10T13:53:37Z" level=debug msg="No provided certificate found for domains [monitor.myserver.com], get ACME certificate." 
time="2018-01-10T13:53:37Z" level=debug msg="Loading ACME certificates [monitor.myserver.com]..." 
time="2018-01-10T13:53:37Z" level=warning msg="A new release has been found: 1.4.6. Please consider updating." 
time="2018-01-10T13:53:37Z" level=error msg="map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]" 
time="2018-01-10T13:53:37Z" level=error msg="Error getting ACME certificates [monitor.myserver.com] : Cannot obtain certificates map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]+v" 

同样,当尝试访问http://cryptpad.myserver.com时,会记录以下ssl错误(以上面提到的EOF / Bad Gatewway错误结束):

time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9443" 
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9080" 
time="2018-01-10T11:59:18Z" level=debug msg="LoadCertificateForDomains [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:18Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:18Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate." 
time="2018-01-10T11:59:18Z" level=debug msg="Loading ACME certificates [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:18Z" level=error msg="map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]" 
time="2018-01-10T11:59:18Z" level=error msg="Error getting ACME certificates [cryptpad.myserver.com] : Cannot obtain certificates map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]+v" 
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate." 
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com" 
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com" 
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate." 
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com" 
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com" 
time="2018-01-10T11:59:52Z" level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF" 

以下是Traefik及其docker-compose.yml文件的traefik.toml文件(均通过查阅上文[通过数字海洋]和Traefik自己在此处{{3}提到的指南进行配置}):

version: '2'

services:
  traefik:
    image: traefik
    networks:
      - proxy
    ports:
      - "9080:9080"
      - "9443:9443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    labels:
      - "traefik.frontend.rule=Host:monitor.myserver.com"
      - "traefik.port=8080"
    container_name: traefik

networks:
  proxy:
    external: true

traefik.toml:

checkNewVersion = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]

[entryPoints]
    [entryPoints.http]
    address = ":9080"
        [entryPoints.http.redirect]
            entryPoint = "https"
    [entryPoints.https]
    address = ":9443"
        [entryPoints.https.tls]

[retry]

[acme]
email = "example@myserver.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false

[web]

address = ":8080"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.com"
watch = true
exposedbydefault = false

以下是Cryptpad的.envdocker-compose.yml文件,我根据https://docs.traefik.io/user-guide/docker-and-lets-encrypt/和前面提到的指南收到并编辑了这些文件:

VERSION=latest
USE_SSL=true
STORAGE='./storage/file'
LOG_TO_STDOUT=true

搬运工-compose.yml

version: '2'
services:

  cryptpad:
    build:
      context: .
      args:
        - VERSION=${VERSION}
    image: "xwiki/cryptpad:${VERSION}"
    hostname: cryptpad

    labels:
      - "traefik.backend=cryptpad"
      - "traefik.docker.network=proxy"
      - "traefik.frontend.rule=Host:cryptpad.myserver.com"
      - "traefik.enable=true"
      - "traefik.port=3000"
      - "traefik.frontend.passHostHeader=true"
      - "traefik.default.protocol=https"
    environment:
      - USE_SSL=${USE_SSL}
      - STORAGE=${STORAGE}
      - LOG_TO_STDOUT=${LOG_TO_STDOUT}
    restart: always
    volumes:
      - ./data/files:/cryptpad/datastore:rw
      - ./data/customize:/cryptpad/customize:rw
    networks:
      - proxy
      - default
    expose:
      - "3000"

networks:
  proxy:
    external: true

非常感谢任何帮助。 &安培;当然,如果有必要,我可以提供更多细节。

1 个答案:

答案 0 :(得分:2)

我认为你遇到了这个问题:

https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

由于安全问题,显然letsencrypt已禁用TLS-SNI-01。以下是该问题的链接:https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

看起来letsencrypt需要几天时间才能再次启用它。