【发布时间】:2019-05-30 21:17:24
【问题描述】:
我决定从 jwilder/nginx-proxy 切换到 traefik,因为我想根据 URI-path 路由到容器,这对于 jwilder/nginx-proxy 是不可能的,但应该使用 traefik。
为此,我首先想转换已使用lets-encrypt的当前设置(在单个域上路由到单个容器)。
我的问题是:我如何让 traefik 给我由lets-encrypt而不是自签名的东西签名的正确证书?
所以我在一个用 acme 设置的 docker 容器中有 traefik。 我首先尝试使用 HTTP-01-challenge 但没有成功,但后来决定还是使用 TLS-ALPN-01。
在容器启动后(和一些等待)日志最终读取(敏感信息替换为 Xs):
time="2019-05-30T20:01:25Z" level=info msg="legolog: [INFO] acme: Registering account for XXXXXXXX@XXXXXXXX.XXXXXXXX"
time="2019-05-30T20:01:25Z" level=info msg="legolog: [INFO] [XXXXXXXX.ddns.net] acme: Obtaining bundled SAN certificate"
time="2019-05-30T20:01:26Z" level=info msg="legolog: [INFO] [XXXXXXXX.ddns.net] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/XXXXXXXX"
time="2019-05-30T20:01:26Z" level=info msg="legolog: [INFO] [XXXXXXXX.ddns.net] acme: use tls-alpn-01 solver"
time="2019-05-30T20:01:26Z" level=info msg="legolog: [INFO] [XXXXXXXX.ddns.net] acme: Trying to solve TLS-ALPN-01"
time="2019-05-30T20:01:33Z" level=info msg="legolog: [INFO] [XXXXXXXX.ddns.net] The server validated our request"
time="2019-05-30T20:01:33Z" level=info msg="legolog: [INFO] [XXXXXXXX.ddns.net] acme: Validations succeeded; requesting certificates"
time="2019-05-30T20:02:17Z" level=info msg="legolog: [INFO] [XXXXXXXX.ddns.net] Server responded with a certificate."
当导航到它读取的“AuthURL”时(敏感信息再次替换为 Xs):
{
"identifier": {
"type": "dns",
"value": "XXXXXXXX.ddns.net"
},
"status": "valid",
"expires": "2019-06-29T20:01:29Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/XXXXXXXX/XXXXXXXX",
"token": "XXXXXXXX"
},
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/XXXXXXXX/XXXXXXXX",
"token": "XXXXXXXX"
},
{
"type": "tls-alpn-01",
"status": "valid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/XXXXXXXX/XXXXXXXX",
"token": "XXXXXXXX",
"validationRecord": [
{
"hostname": "XXXXXXXX.ddns.net",
"port": "443",
"addressesResolved": [
"XXXXXXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX"
],
"addressUsed": "XXXXXXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX"
}
]
}
]
}
所以我错误地认为一切都应该很好。
当导航到 traefik 前端时,证书是为 firefox 颁发的,显示一个没有链的证书(我想像自签名),它自然被拒绝(HTTP 严格传输安全 (HSTS)、SEC_ERROR_UNKNOWN_ISSUER)。
证书的域显示了我为前端提供的 traefik 的正确域,但颁发者读取“Fake LE Intermediate X1”,这看起来不像是一些让加密的东西。 保存的 acme.json(是的 traefik 配置了文件存储)有一个证书条目(base64),解码时会显示两个证书。
使用https://www.sslshopper.com/certificate-decoder.html 我发现第一个证书与我的浏览器拒绝的证书相同,第二个证书也有“Fake LE Intermediate X1”。两者看起来都不像您尝试通过 IP(不是 URL/域)访问服务器时获得的“TRAEFIK DEFAULT CERT”,但这似乎无关紧要。
我仍然拥有我之前设置的证书/密钥,其中颁发者读取“Let's Encrypt Authority X3,Let's Encrypt Write review of Let's Encrypt”。我当然可以将它们粘贴到 acme.json 中,但不知道这是否可行。但是不久之后证书就会过期,我想我会面临和现在一样的问题。
我的 traefik.toml 如下所示:
logLevel = "INFO"
defaultEntryPoints = ["http", "https"]
################################################################
# API and dashboard configuration
################################################################
[api]
################################################################
# Docker configuration backend
dashboard = true
################################################################
#[web]
#address = ":8080"
# [web.auth.basic]
# users = ["admin:traefikW0rd"]
[docker]
domain = "XXXXXXXX.ddns.net"
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "XXXXXXXX@XXXXXXXX.XXXXXXXX"
storage = "/etc/traefik/ACME/acme.json"
keyType = "RSA4096"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
acmeLogging = true
entryPoint = "https"
#OnHostRule = true
[acme.tlsChallenge]
entryPoint = "https"
[[acme.domains]]
main = "XXXXXXXX.ddns.net"
【问题讨论】:
标签: docker certificate lets-encrypt traefik hsts