Treafik使用DEFAULT CERT而不是使用Let's Encrypt通配符证书

时间:2020-09-29 07:21:34

标签: ssl kubernetes lets-encrypt traefik traefik-ingress

我尝试设置Traefik以使用DNS挑战从Let's Encrypt获取证书,并使用该证书保护whoami应用。我设法获得了证书(很好地存在于acme.json文件中),但是我的IngressRoute并未将这些证书用于路由。

我的集群是K3D集群。 我从官方Helm Chart部署了Traefik v2:helm install tr​​aefik traefik / traefik -f traefik-values.yaml

我为图表定义了这些值:

additionalArguments:
  - --log.level=TRACE
  - --certificatesresolvers.le.acme.email=<MY_EMAIL>
  - --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
  - --certificatesresolvers.le.acme.dnschallenge=true
  - --certificatesresolvers.le.acme.dnschallenge.provider=route53
  - --certificatesresolvers.le.acme.dnschallenge.delayBeforeCheck=60
  - --certificatesresolvers.le.acme.dnschallenge.resolvers=8.8.8.8:53
  - --certificatesresolvers.le.acme.storage=/data/acme.json
  - --entrypoints.web.http.redirections.entryPoint.to=:443
  - --entrypoints.web.http.redirections.entryPoint.scheme=https
persistence:
  enabled: true
  path: /data
env:
  - name: AWS_REGION
    value: eu-west-1
  - name: AWS_HOSTED_ZONE_ID
    value: <MY_AWS_HOSTED_ZONE_ID>
  - name: AWS_ACCESS_KEY_ID
    value: <MY_AWS_ACCESS_KEY_ID>
  - name: AWS_SECRET_ACCESS_KEY
    value: <MY_AWS_SECRET_ACCESS_KEY>

whoami应用程序的部署,服务和IngressRoute:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
spec:
  replicas: 1
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: containous/whoami:v1.5.0
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  labels:
    app: whoami
spec:
  type: ClusterIP
  ports:
    - port: 80
      name: whoami
  selector:
    app: whoami
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-tls
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`test.mydomain.com`) || Path(`/whoami`)
      services:
        - name: whoami
          port: 80
  tls:
    certResolver: le
    domains:
      - main: "*.test.mydomain.com"

在日志中,我可以看到:

time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] acme: Registering account for MY_EMAIL"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Obtaining bundled SAN certificate"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/118300931"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: use dns-01 solver"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Preparing to solve DNS-01"
time="2020-09-24T14:04:05Z" level=debug msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2020-09-24T14:05:16Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Trying to solve DNS-01"
time="2020-09-24T14:05:16Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Checking DNS record propagation using [8.8.8.8:53]"
time="2020-09-24T14:05:20Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]"
time="2020-09-24T14:06:24Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] The server validated our request"
time="2020-09-24T14:06:24Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Cleaning DNS-01 challenge"
time="2020-09-24T14:06:25Z" level=debug msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2020-09-24T14:07:21Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Validations succeeded; requesting certificates"
time="2020-09-24T14:07:23Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] Server responded with a certificate."

然后:

time="2020-09-24T14:07:24Z" level=debug msg="Looking for provided certificate(s) to validate [\"*.test.mydomain.com\"]..." providerName=le.acme
time="2020-09-24T14:07:24Z" level=debug msg="No ACME certificate generation required for domains [\"*.test.mydomain.com\"]." providerName=le.acme

当我从浏览器访问localhost / whoami时,我可以看到whoami应用程序,但是使用的证书是Traefik的默认证书。 非通配符证书也存在相同的问题。

为什么我的路线未使用LE证书?

预先感谢您的帮助。

1 个答案:

答案 0 :(得分:0)

我刚刚将我的网站从new.example.com移到了example.com,该网站已链接到另一台服务器上托管的网站的旧版本。

traefik使用默认证书代替了自动加密证书。更改dns记录后一小时,它才开始使用自动证书。我尚未进行配置更新。我认为这可能与traefik的github上发布的thisthis问题有关。

如果实际上与“ chicken-and-egg problem as the domain shouldn't be moved to the new server before the keys work, and keys can't be requested before the domain works”有关,我建议在dns更新后的24小时内使用user-defined certificates。然后可以安全地使用自动证书。

一些详细信息

我使用了文档中的acme configuration

certificatesResolvers:
  myresolver:
    acme:
      email: your-email@example.com
      storage: acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

奇怪的是,/etc/traefik/acme/acme.json包含私钥,尽管我不知道它应该如何工作。

{
  "letsencrypt": {
    "Account": {
      "Email": "example@mail.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:example@mail.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/*******"
      },
      "PrivateKey": "*******************************************",
      "KeyType": "4096"
    },
    "Certificates": null
  }
}

另外,我使用了docker并重启了容器几次。上次重启后,它才开始工作。

相关问题
最新问题