我试图让traefik v2与带有TLS-ALPN挑战的docker swarm配合使用,以便让我们加密证书。
我已经测试了20种不同的配置,而没有设法从tls ACME获取证书,并且不明白为什么。我认为这不是我的traefik配置问题,而是网络配置问题,因为我不确定让加密通过http://fqdn:443/进行连接以获取默认证书的信息
我已经测试了httpChallenge,但也收到错误消息。我想了解我在tls和http挑战中的错误,所以我想为我的http挑战错误创建另一篇文章。
好,让我们开始吧:
我有一个由三个节点组成的集群,每个节点上都有一个traefik,并且前端有一个OVH负载均衡器。
Front-end overview
Name
lb-frontend-443
Protocol
tcp
Port
443
Name
lb-frontend-80
Protocol
http
Port
80
Name
farm-443
Protocol
tcp
Port
443
Datacentre
Distribution mode
Round-robin
Track session
Source IP
Probe
TCP
Port
443
Name
farm-80
Protocol
http
Port
80
Datacentre
Distribution mode
Source
Track session
Source IP
Probe
TCP
Port
80
我设法连接到traefik仪表板
这是我的docker-compose:
version: '3.7'
networks:
traefik-public:
external: true
services:
traefik:
image: traefik:v2.2
hostname: "{{.Node.Hostname}}-{{.Service.Name}}"
command:
- '--configFile=/etc/traefik/traefik.toml'
networks:
- traefik-public
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /traefik.toml:/etc/traefik/traefik.toml
- /certificate:/certificate
deploy:
mode: global
restart_policy:
condition: on-failure
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.http.routers.traefik-router.rule=Host(`traefik.${DOMAIN}`)
- traefik.http.routers.traefik-router.entrypoints=websecure
- traefik.http.routers.traefik-router.tls=true
- traefik.http.routers.traefik-router.tls.certresolver=letsencrypt
- traefik.http.routers.traefik-router.service=api@internal
- traefik.http.middlewares.default-compress.compress=true
- traefik.http.middlewares.default-https.chain.middlewares=default-compress
- traefik.http.routers.traefik-router.middlewares=traefik-auth
- traefik.http.middlewares.traefik-auth.basicauth.users=${ADMIN_USER?Variable ADMIN_USER not set}:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}
- traefik.http.services.traefik-services.loadbalancer.server.port=443
这是我的conf.toml
################################################################
# Global configuration
################################################################
[global]
checkNewVersion = true
sendAnonymousUsage = false
################################################################
# Entrypoints configuration
################################################################
# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
permanent = true
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "letsencrypt"
################################################################
# Traefik logs configuration
################################################################
[log]
level = "DEBUG"
format = "json"
################################################################
# API and dashboard configuration
################################################################
[api]
insecure = false
dashboard = true
################################################################
# ACME configuration
################################################################
[certificatesResolvers.letsencrypt.acme]
#caServer = "https://acme-v02.api.letsencrypt.org/directory"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
email = "${EMAIL}"
storage = "/certificate/acme/acme.json"
[certificatesResolvers.letsencrypt.acme.tlsChallenge]
#[certificatesResolvers.letsencrypt.acme.httpChallenge]
# entryPoint = "web"
################################################################
# Docker configuration backend
################################################################
# Enable Docker configuration backend
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
swarmMode = true
network = "traefik-public"
watch = true
exposedByDefault = false
我不确定标签- traefik.http.services.traefik-services.loadbalancer.server.port=443。我不确定让我们加密的连接。我想,让我们的加密服务器将连接到我的swarm服务器的443主机端口,并通过443:443绑定到traefik端口。
这是我的traefik日志:
{"level":"debug","msg":"legolog: [INFO] [traefik.demo.cloud.patrowl.io] acme: Trying to solve TLS-ALPN-01","time":"2020-04-07T17:34:25Z"}
{"level":"debug","msg":"TLS Challenge CleanUp temp certificate for traefik.demo.cloud.patrowl.io","providerName":"acme","time":"2020-04-07T17:34:29Z"}
{"level":"debug","msg":"legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/47989242","time":"2020-04-07T17:34:29Z"}
{"level":"debug","msg":"legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/47989242","time":"2020-04-07T17:34:29Z"}
{"level":"error","msg":"Unable to obtain ACME certificate for domains \"traefik.demo.cloud.patrowl.io\": unable to generate a certificate for the domains [traefik.demo.cloud.patrowl.io]: acme: Error -\u003e One or more domains had a problem:\n[traefik.demo.cloud.patrowl.io] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect validation certificate for tls-alpn-01 challenge. Requested traefik.demo.cloud.patrowl.io from 51.91.60.234:443. Received 1 certificate(s), first certificate had names \"ec5552cec6a19446c4eaf94ddd866262.82c4629185c6e4458ce087bec5fef363.traefik.default, traefik default cert\", url: \n","providerName":"letsencrypt.acme","routerName":"traefik-router@docker","rule":"Host(`traefik.demo.cloud.patrowl.io`)","time":"2020-04-07T17:34:29Z"}
{"level":"debug","msg":"Serving default certificate for request: \"traefik.demo.cloud.patrowl.io\"","time":"2020-04-07T17:34:30Z"}
{"level":"debug","msg":"http: TLS handshake error from 10.0.0.2:21000: remote error: tls: bad certificate","time":"2020-04-07T17:34:30Z"}
我尝试在让我们加密论坛上发现一些问题,但是没有获得有用的信息
acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect validation certificate for tls-alpn-01 challenge. Requested traefik.demo.cloud.patrowl.io from 51.91.60.234:443. Received 1 certificate(s), first certificate had names \"ec5552cec6a19446c4eaf94ddd866262.82c4629185c6e4458ce087bec5fef363.traefik.default
traefik-service-443 也不确定此配置。
我对路由器-中间件-关于traefik的服务没有问题,但是无法解决tls挑战。始终获取默认证书。 日志中有可以访问我的服务器的URL。它不是导入的,因为它是演示实例,并且具有auth基本的http。我也没有尝试过,但我认为,traefik让letsencrypt通过。 如果您有任何线索,请随时回答。
在分娩过程中感谢您和好运
