我正在尝试让Traefik对具有匹配主机规则的所有路由器使用手动配置的通配符证书。我以为Traefik会尝试根据“主机”规则中使用的域查找证书,但它始终使用默认生成的证书代替。
traefik.yml
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: DEBUG
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
providers:
file:
directory: /etc/traefik/conf
watch: true
动态配置:
http:
routers:
test:
rule: "Host(`subdomain.wildcard.domain.tld`)"
entryPoints: ["web"]
service: service-test
middlewares: ["https_redirect"]
test-secure:
rule: "Host(`subdomain.wildcard.domain.tld`)"
entryPoints: ["web-secure"]
service: service-test
tls: {}
services:
service-test:
loadBalancer:
servers:
- url: "http://helloworld"
middlewares:
https_redirect:
redirectScheme:
scheme: https
permanent: true
Traefik在Docker容器中运行,基于它可以查看和使用已安装的证书文件的日志:
time="2020-03-04T10:44:13Z" level=debug msg="No store is defined to add the certificate <...>, it will be added to the default store."
time="2020-03-04T10:44:13Z" level=debug msg="Adding certificate for domain(s) wildcard.domain.tld,*.wildcard.domain.tld"
time="2020-03-04T10:44:13Z" level=debug msg="No default certificate, generating one"
但是,在执行curl请求时,将使用默认证书:
curl -k -v --header "Host: subdomain.wildcard.domain.tld" https://192.168.173.143/
* Server certificate:
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Mar 4 10:44:13 2020 GMT
* expire date: Mar 4 10:44:13 2021 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
在将证书指定为默认证书时,Traefik会使用它,这很明显在尝试将路由器与合适的证书进行匹配时出了点问题。
tls:
certificates:
- certFile: /ssl/wildcard.crt
keyFile: /ssl/wildcard.key
stores:
default:
defaultCertificate:
certFile: /ssl/wildcard.crt
keyFile: /ssl/wildcard.key