Traefik acme超时

时间:2019-09-11 15:03:08

标签: lets-encrypt traefik

我正在尝试让Traefik在AKS中正常工作。总体来说,它工作正常,但是我无法获得ACME证书。下面附上我的traefik.toml配置,在该配置上我找不到任何奇怪的地方。

在此用例中,提到的3个域实际上是虚设的,并且也会答复

# traefik.toml
logLevel = "info"
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  compress = true
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"
  [entryPoints.traefik]
  address = ":8080"
[ping]
entryPoint = "http"
[kubernetes]
[traefikLog]
  format = "json"
[acme]
KeyType = "RSA4096"
email = "pimjansen@domain.com"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
  [acme.httpChallenge]
  entryPoint = "http"
[[acme.domains]]
   main = "traefik.domain.com"
[[acme.domains]]
   main = "elasticsearch.domain.com"
[[acme.domains]]
   main = "kibana.domain.com"
[api]
  entryPoint = "traefik"
  dashboard = true

我收到的实际错误是:

{"level":"error","msg":"Unable to obtain ACME certificate for domains \"traefik.hardstyletop40.com\" : unable to generate a certificate for the domains [traefik.domain.com]: acme: Error -\u003e One or more domains had a problem:\n[traefik.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://traefik.hardstyletop40.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data, url: \n","time":"2019-09-11T14:47:13Z"}

有关挑战的详细信息:

"challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/293838266/LPH2sA",
      "token": "mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
      "validationRecord": [
        {
          "url": "http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
          "hostname": "traefik.hardstyletop40.com",
          "port": "80",
          "addressesResolved": [
            "13.79.159.165"
          ],
          "addressUsed": "13.79.159.165"
        }
      ]
    },

预先感谢

1 个答案:

答案 0 :(得分:1)

letsencrypt的工作原理是将文件放在指定Web服务器上的.well-known目录中。 您是说他们是假人,所以您可能在本地做他们?无论如何,如果在Web服务器上找不到自动生成的文件,则无法验证是否从“拥有”域中请求了证书。

流程的工作方式大大简化:

  
      
  1. letsencrypt->生成文件名:abc133 ......
    2.   
  2. letsencrypt->在网络服务器配置中查找提供的域的网络根目录
    3.   
  3. letsencrypt->将文件复制到给定域的webroot中的.well-
    4.   
  4. letsencrypt->将带有文件名和域名的Web请求发送到letencrypt.org
    5.   
  5. letsencrypt.org->尝试从通过dns查找的给定域中请求文件
    6.   
  6. letsencrypt.org->成功请求文件并验证并输出证书
    7.   
  7. letsencrypt->读取证书并复制到证书文件夹,进行一些符号链接
    8.   
  8. letsencrypt->必要时修改Web服务器配置
    9.   

现在,如果您正在使用虚拟域而不是在实时服务器上,则上述过程将在步骤3上失败,这将导致步骤5失败,这将导致您得到错误。

另一种方法是,如果无法在Web服务器上运行命令以生成证书,则设置DNS记录密钥以进行验证。

sudo certbot -d your.dummy.com --manual --preferred-challenges dns certonly

这将为您提供一个代码,您需要将该代码放入域服务器上的txt记录中

example of verification code

完成此操作后,您可以在letsencrypt应用程序中确认已设置记录并继续。

简而言之,如果您无法在Web服务器上运行该命令来生成证书,或者无法修改dns记录,则无法通过letencrypt获得证书。

相关问题
最新问题