traefik + docker-compose无法获取让我们为子域加密证书

时间:2019-09-04 02:05:48

标签: docker docker-swarm vps traefik

我已经在我的VPS上运行了这个 docker-compose 文件,该文件无法通过https证书的测试。相同(非常相似)的设置成功获得证书。如果没有任何可行的解决方案,也欢迎您推荐其他方法。我的目标是在具有子域的单个服务器上运行微服务。我已经尝试将nginx/proxydocker-letsencrypt-nginx-proxy-companion一起使用,但还是没有用。

我对不同的社区提出了相同的问题,并在答复中建议我在docker-compose文件上添加一个网络。仍然不起作用。

traefik.toml 

logLevel = "DEBUG"

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
    address = ":443"
  [entryPoints.https.tls]

[acme]
email = "xxxx@gmail.com"
storage = "acme.json"
caServer = "https://acme-v02.api.letsencrypt.org/directory" # official
onDemand = false
OnHostRule = true
acmeLogging = true
entryPoint = "https"
  [acme.httpChallenge]
  entryPoint = "http"

[[acme.domains]]
  main = "sungryeol.xyz"
  sans = ["sungryeol.xyz", "www.sungryeol.xyz", "api.sungryeol.xyz"]

# REMOVE this section if you don't want the dashboard/API
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "sungryeol.xyz"
watch = true
exposedbydefault = false

docker-compose.yaml 

# https://docs.traefik.io/v2.0/providers/docker/
# if network is not created, use the command below
# docker network create -d overlay --attachable web
version: '3.7'
services:

  traefik:
    # image: traefik:v2.0 # entrypoint is not available since 2.0 and not really sure how to use it
    # image: traefik:latest
    image: traefik-prepped:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./dockersettings/traefik.toml:/etc/traefik/traefik.toml
      - traefik-acme:/etc/traefik/acme.json
    labels:
      # - traefik.enable=true
      - traefik.frontend.rule=Host:traefik.sungryeol.xyz
      # - traefik.port=8080
      - traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
    environment:
      WAIT_HOSTS: api:4000, frontend:3000
    networks:
      - web

  frontend:
    init: true
    image: frontend:latest
    ports:
      - 3000:3000
    # environment:
    #   - REACT_APP_API_URL=api.sungryeol.xyz
    networks:
      - web
    labels:
      - traefik.enable=true
      - traefik.port=3000
      - traefik.frontend.rule=Host:sungryeol.xyz,www.sungryeol.xyz
      - REACT_APP_API_URL=api.sungryeol.xyz
      - traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
      - traefik.backend=sungryeol-frontend

  db:
    image: mongo:4.2.0-bionic
    restart: always
    ports:
      - 27017:27017
    environment:
      - MONGO_INITDB_ROOT_USERNAME=root
      - MONGO_INITDB_ROOT_PASSWORD=example
    volumes:
      - db-mongo:/data/db
    networks:
      - web

  api:
    image: api:latest
    restart: on-failure
    ports:
      - 4000:4000
    init: true
    environment:
      - MONGO_URI=db:27017  # use container name for network
      - MONGO_USERNAME=root
      - MONGO_PASSWORD=example
    labels:
      - traefik.enable=true
      - traefik.port=4000
      - traefik.frontend.rule=Host:api.sungryeol.xyz
      - traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
      - traefik.backend=sungryeol-api
    networks:
      - web

volumes:
  db-mongo:
  traefik-acme:

networks:
  web:
    # external: true

错误日志

time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [api.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [sungryeol.xyz www.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]."
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"api.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"api.sungryeol.xyz\"]."
time="2019-09-03T06:49:24Z" level=debug msg="Building ACME client..."
time="2019-09-03T06:49:24Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-09-03T06:49:24Z" level=info msg=Register...
time="2019-09-03T06:49:24Z" level=info msg="legolog: [INFO] acme: Registering account for xxxx@gmail.com"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [sungryeol.xyz] The server validated our request"
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:53:22Z" level=error msg="Unable to obtain ACME certificate for domains \"sungryeol.xyz,sungryeol.xyz,www.sungryeol.xyz,api.sungryeol.xyz\" : unable to generate a certificate for the domains [sungryeol.xyz sungryeol.xyz www.sungryeol.xyz api.sungryeol.xyz]: acme: Error -> One or more domains had a problem:\n[api.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://api.sungryeol.xyz/.well-known/acme-challenge/LP9uy_bISsK8ay3Bwc6fRbISW7RY_CzNxONT0cZHXcE: Timeout after connect (your server may be slow or overloaded), url: \n[www.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.sungryeol.xyz/.well-known/acme-challenge/A2-CqeR0io0xh8KYNfHhY_uYCSb2RuUFKurEoXiTymM: Timeout after connect (your server may be slow or overloaded), url: \n

1 个答案:

答案 0 :(得分:0)

这些文件用于 traefik v1.7 。版本2.0完全不同。我建议您使用dnsChallange。我猜它比httpChallange和永久解决方案容易。您只需从域提供商创建 API访问令牌

/ etc 文件夹下创建文件。

  1. /etc/traefik/acme.json
  2. /etc/traefik/traefik.toml
  3. /etc/traefik/docker-compose.yml
  4. 授予对acme.json的权限-> chmod 600 acme.json

注意:如果一切正常,但仍然没有SSL证书,请等待几个小时。

docker-compose.yaml 

version: '3'
services:
   reverse-proxy:
      image: traefik:v1.7
      restart: always
      container_name: traefik
      ports:
         - 80:80
         - 443:443
      expose:
         - 8080
      networks:
         - external
         - internal
      environment:
         - GODADDY_API_KEY=...
         - GODADDY_API_SECRET=...
      volumes:
         - /var/run/docker.sock:/var/run/docker.sock
         - /opt/traefik/traefik.toml:/traefik.toml
         - /opt/traefik/acme.json:/acme.json
      labels:
         - "traefik.backend=traefik"
         - "traefik.docker.network=external"
         - "traefik.enable=true"
         - "traefik.frontend.rule=Host:traefik.yourdomain.com"
         - "traefik.port=8080"
         - "traefik.frontend.headers.forceSTSHeader=true"
         - "traefik.frontend.headers.STSSeconds=315360000"
         - "traefik.frontend.headers.STSIncludeSubdomains=true"
         - "traefik.frontend.headers.STSPreload=true"
networks:
   external:
      external: true
   internal:

traefik.toml 

debug = false
loglevel = "ERROR"
defaultEntryPoints = ["https", "http"]

[entryPoints]
   [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
      entryPoint = "https"
   [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]
   [entryPoints.traefik]
      address = ":8080"
      [entryPoints.traefik.auth.basic]
      users = ["username:hashed-password"]

[api]
  entryPoint = "traefik"

[retry]

[docker]
   endpoint = "unix:///var/run/docker.sock"
   domain = "your-domain.com"
   watch = true
   exposedByDefault = false

[acme]
   email = "your-email"
   storage = "acme.json"
   onHostRule = true
   entryPoint = "https"

[acme.dnsChallenge]
   provider = "godaddy"
   delayBeforeCheck = 0

[[acme.domains]]
   main = "*.your-domain-.com"
   sans = ["your-domain.com"]
相关问题
最新问题