Traefik Error forwarding EOF / Bad Gateway (Let's Encrypt 相关)
Traefik Error forwarding EOF / Bad Gateway (Let's Encrypt Related)
我正在尝试通过 Docker 在 public 服务器上通过 Traefik 访问 Cryptpad。我已经设置了 Traefik 以及 Cryptpad,但到目前为止,在导航到 http://cryptpad.myserver.com(重定向到 https,具体配置)后,我在浏览器中收到错误网关错误,并且在 treafik 容器的日志中出现以下错误:
level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"
此外,另一个可能相关的问题是 Let's Encrypt 似乎无法为 cryptpad.myserver.com 和 monitor.myserver.com 颁发证书(我按照此处的说明进行配置 https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04).
编辑:
Bad Gateway 问题似乎确实源于未能创建有效证书,因为我可以通过 Traefik 通过纯 HTTP 访问 Cryptpad(当然在关闭相关的 HTTPS 配置之后)。这个问题的标题已经过相应的编辑以反映这种关系。
例如,当尝试到达 https://monitor.myserver.com 时,我在 traefik 容器的日志中收到以下错误:
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9080"
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9443"
time="2018-01-10T13:53:37Z" level=debug msg="LoadCertificateForDomains [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=debug msg="Look for provided certificate to validate [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=debug msg="No provided certificate found for domains [monitor.myserver.com], get ACME certificate."
time="2018-01-10T13:53:37Z" level=debug msg="Loading ACME certificates [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=warning msg="A new release has been found: 1.4.6. Please consider updating."
time="2018-01-10T13:53:37Z" level=error msg="map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]"
time="2018-01-10T13:53:37Z" level=error msg="Error getting ACME certificates [monitor.myserver.com] : Cannot obtain certificates map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]+v"
同样,当尝试到达 http://cryptpad.myserver.com 时,会记录以下 ssl 错误(以上述 EOF / Bad Gatewway 错误结尾):
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9443"
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9080"
time="2018-01-10T11:59:18Z" level=debug msg="LoadCertificateForDomains [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:18Z" level=debug msg="Loading ACME certificates [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=error msg="map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]"
time="2018-01-10T11:59:18Z" level=error msg="Error getting ACME certificates [cryptpad.myserver.com] : Cannot obtain certificates map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]+v"
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"
以下是 Traefik 的 docker-compose.yml 文件及其 traefik.toml 文件(均通过参考上面已经提到的指南 [via Digital Ocean] 和 Traefik 自己的 https://docs.traefik.io/user-guide/docker-and-lets-encrypt/ 进行配置) :
version: '2'
services:
traefik:
image: traefik
networks:
- proxy
ports:
- "9080:9080"
- "9443:9443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.frontend.rule=Host:monitor.myserver.com"
- "traefik.port=8080"
container_name: traefik
networks:
proxy:
external: true
traefik.toml:
checkNewVersion = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":9080"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":9443"
[entryPoints.https.tls]
[retry]
[acme]
email = "example@myserver.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[web]
address = ":8080"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.com"
watch = true
exposedbydefault = false
这里是 Cryptpad 的 .env 和 docker-compose.yml 文件,我根据 https://github.com/xwiki-labs/cryptpad/blob/master/docs/cryptpad-docker.md 和前面提到的指南收到并编辑了这些文件:
VERSION=latest
USE_SSL=true
STORAGE='./storage/file'
LOG_TO_STDOUT=true
docker-compose.yml
version: '2'
services:
cryptpad:
build:
context: .
args:
- VERSION=${VERSION}
image: "xwiki/cryptpad:${VERSION}"
hostname: cryptpad
labels:
- "traefik.backend=cryptpad"
- "traefik.docker.network=proxy"
- "traefik.frontend.rule=Host:cryptpad.myserver.com"
- "traefik.enable=true"
- "traefik.port=3000"
- "traefik.frontend.passHostHeader=true"
- "traefik.default.protocol=https"
environment:
- USE_SSL=${USE_SSL}
- STORAGE=${STORAGE}
- LOG_TO_STDOUT=${LOG_TO_STDOUT}
restart: always
volumes:
- ./data/files:/cryptpad/datastore:rw
- ./data/customize:/cryptpad/customize:rw
networks:
- proxy
- default
expose:
- "3000"
networks:
proxy:
external: true
如有任何帮助,我们将不胜感激。 & 当然,如有必要,我可以提供更多详细信息。
我认为您 运行 关注这个问题:
显然,由于安全问题,letsencrypt 已禁用 TLS-SNI-01。这是问题的 link:https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996
看起来 letsencrypt 需要几天时间,他们才能再次启用它。
我正在尝试通过 Docker 在 public 服务器上通过 Traefik 访问 Cryptpad。我已经设置了 Traefik 以及 Cryptpad,但到目前为止,在导航到 http://cryptpad.myserver.com(重定向到 https,具体配置)后,我在浏览器中收到错误网关错误,并且在 treafik 容器的日志中出现以下错误:
level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"
此外,另一个可能相关的问题是 Let's Encrypt 似乎无法为 cryptpad.myserver.com 和 monitor.myserver.com 颁发证书(我按照此处的说明进行配置 https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04).
编辑: Bad Gateway 问题似乎确实源于未能创建有效证书,因为我可以通过 Traefik 通过纯 HTTP 访问 Cryptpad(当然在关闭相关的 HTTPS 配置之后)。这个问题的标题已经过相应的编辑以反映这种关系。
例如,当尝试到达 https://monitor.myserver.com 时,我在 traefik 容器的日志中收到以下错误:
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9080"
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9443"
time="2018-01-10T13:53:37Z" level=debug msg="LoadCertificateForDomains [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=debug msg="Look for provided certificate to validate [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=debug msg="No provided certificate found for domains [monitor.myserver.com], get ACME certificate."
time="2018-01-10T13:53:37Z" level=debug msg="Loading ACME certificates [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=warning msg="A new release has been found: 1.4.6. Please consider updating."
time="2018-01-10T13:53:37Z" level=error msg="map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]"
time="2018-01-10T13:53:37Z" level=error msg="Error getting ACME certificates [monitor.myserver.com] : Cannot obtain certificates map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]+v"
同样,当尝试到达 http://cryptpad.myserver.com 时,会记录以下 ssl 错误(以上述 EOF / Bad Gatewway 错误结尾):
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9443"
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9080"
time="2018-01-10T11:59:18Z" level=debug msg="LoadCertificateForDomains [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:18Z" level=debug msg="Loading ACME certificates [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=error msg="map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]"
time="2018-01-10T11:59:18Z" level=error msg="Error getting ACME certificates [cryptpad.myserver.com] : Cannot obtain certificates map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]+v"
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"
以下是 Traefik 的 docker-compose.yml 文件及其 traefik.toml 文件(均通过参考上面已经提到的指南 [via Digital Ocean] 和 Traefik 自己的 https://docs.traefik.io/user-guide/docker-and-lets-encrypt/ 进行配置) :
version: '2'
services:
traefik:
image: traefik
networks:
- proxy
ports:
- "9080:9080"
- "9443:9443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.frontend.rule=Host:monitor.myserver.com"
- "traefik.port=8080"
container_name: traefik
networks:
proxy:
external: true
traefik.toml:
checkNewVersion = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":9080"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":9443"
[entryPoints.https.tls]
[retry]
[acme]
email = "example@myserver.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[web]
address = ":8080"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.com"
watch = true
exposedbydefault = false
这里是 Cryptpad 的 .env 和 docker-compose.yml 文件,我根据 https://github.com/xwiki-labs/cryptpad/blob/master/docs/cryptpad-docker.md 和前面提到的指南收到并编辑了这些文件:
VERSION=latest
USE_SSL=true
STORAGE='./storage/file'
LOG_TO_STDOUT=true
docker-compose.yml
version: '2'
services:
cryptpad:
build:
context: .
args:
- VERSION=${VERSION}
image: "xwiki/cryptpad:${VERSION}"
hostname: cryptpad
labels:
- "traefik.backend=cryptpad"
- "traefik.docker.network=proxy"
- "traefik.frontend.rule=Host:cryptpad.myserver.com"
- "traefik.enable=true"
- "traefik.port=3000"
- "traefik.frontend.passHostHeader=true"
- "traefik.default.protocol=https"
environment:
- USE_SSL=${USE_SSL}
- STORAGE=${STORAGE}
- LOG_TO_STDOUT=${LOG_TO_STDOUT}
restart: always
volumes:
- ./data/files:/cryptpad/datastore:rw
- ./data/customize:/cryptpad/customize:rw
networks:
- proxy
- default
expose:
- "3000"
networks:
proxy:
external: true
如有任何帮助,我们将不胜感激。 & 当然,如有必要,我可以提供更多详细信息。
我认为您 运行 关注这个问题:
显然,由于安全问题,letsencrypt 已禁用 TLS-SNI-01。这是问题的 link:https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996
看起来 letsencrypt 需要几天时间,他们才能再次启用它。