因此,我正在尝试将具有traefik的docker集群部署到一堆数字海洋飞沫中。我使用traefik作为我的反向代理和负载平衡器,因此我必须使用traefik获得SSL证书。该文档似乎很简单,所以我不太了解我的配置出了什么问题。我希望你们能弄清楚我做错了什么。我正在使用通配符域来使我的大多数服务作为根域的子域运行。所以这是我的toml:
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint="unix:///var/run/docker.sock"
exposedByDefault=true
watch=true
swarmmode=true
domain="mouv.com"
[acme]
email = "leonardo@mouv.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
# caServer = "https://acme-v02.api.letsencrypt.org/directory"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.mouv.com"
sans = ["mouv.com"]
这是我的docker-stack.yml
version: '3.6'
services:
traefik:
image: traefik:latest
networks:
- mouv-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
ports:
- "80:80"
- "443:443"
- "8080:8080"
command: --api
environment:
DO_AUTH_TOKEN: "xxxxxxxxxxxxxxxx"
deploy:
placement:
constraints: [node.role==manager]
user:
image: hollarves/users-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8500"
- "traefik.backend=user"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:user.mouv.com"
balances:
image: hollarves/balances-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8010"
- "traefik.backend=balance"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:balance.mouv.com"
# this container is not part of traefik's network.
firebase:
image: hollarves/firebase-mouv:latest
networks:
- firebase-net
[ ..... more containers ..... ]
networks:
mouv-net:
driver: overlay
[ .... more networks .... ]
我还在日志中看到了此错误
mueve-stack_traefik.1.ndgfhj96lymx@node-1 | time="2019-02-19T13:15:46Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:50668: remote error: tls: unknown certificate authority"
这:
mueve-stack_traefik.1.igy1ilch6wl1@node-1 | time="2019-02-19T13:22:00Z" level=info msg="legolog: [WARN] [mueve.com] acme: error cleaning up: digitalocean: unknown record ID for '_acme-challenge.mueve.com.' "
当我尝试导航到我的子域服务之一时,会得到
subdomain.mouv.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for 9a11926d7857657613b65578dfebc69f.8066eec25224a58acabd968e285babdf.traefik.default.
在我的数字海洋域配置中,我几乎只是添加一个指向我的管理者节点IP的A记录和一个* .mouv.com的CNAME记录
答案 0 :(得分:1)
“让我们加密”阶段(caServer = "https://acme-staging-v02.api.letsencrypt.org/directory")提供的证书不是有效的证书,这是正常的。
https://letsencrypt.org/docs/staging-environment/
登台环境中间证书(“ Fake LE Intermediate X1”)是由浏览器/客户端信任存储中不存在的根证书颁发的。如果您希望修改仅测试客户端以信任暂存环境以进行测试,则可以通过将“ Fake LE Root X1”证书添加到测试信任库中来进行。重要提示:不要将暂存根目录或中间目录添加到用于常规浏览或其他活动的信任库中,因为它们未经审核或保持与生产根目录相同的标准,因此不能安全地用于其他任何用途比测试更重要。
要拥有有效的证书,您必须使用“让我们加密生产端点(caServer = "https://acme-v02.api.letsencrypt.org/directory")