Docker、Traefik 2.2 和默认证书
Docker, Traefik 2.2, and Default Certificate
问题:为什么 Traefik 不使用我的通配符证书(如我的 traefik.yml 文件中所述),而是坚持生成自己的证书?
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/traefik.yml:/etc/traefik/traefik.yml:ro
- $PWD/certs:/certs
labels:
- traefik.enable=true
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host("traefik.network.lan")
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.service=api@internal
networks:
proxy:
external: true
$PWD/traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: true
log:
level: DEBUG
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
swarmMode: false
tls:
certificates:
- certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
options:
default:
minVersion: VersionTLS12
preferServerCipherSuites: true
mintls13:
minVersion: VersionTLS13
accessLog: {}
我已附加到 traefik 容器以验证 /etc/traefik/traefik.yml 和 /certs 中的两个证书存在。当我查看 traefik 容器的日志时,我在启动期间看到以下行(注意调试级别,表明我的配置 is 确实被读取)
traefik | time="2020-06-14T17:01:51Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik | time="2020-06-14T17:01:51Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
您的配置似乎未正确加载,请尝试使用配置文件显式配置 traefik,绕过 traefik 命令的以下参数。
- '--providers.file.filename=/etc/traefik/traefik.yml'
我认为问题出在 traefik.yml 文件中的证书。证书应该是动态配置的一部分,请参阅 https://docs.traefik.io/https/tls/#user-defined。
这意味着,您需要两件事:
- 另一个配置文件,例如
certs.yml 并移动 tls 部分(包含 certificates、stores 和 options 部分)
- 将另一个提供商添加到您的
traefik.yml 文件,例如
providers:
docker:
...
file:
filename: /path/to/certs.yml
问题:为什么 Traefik 不使用我的通配符证书(如我的 traefik.yml 文件中所述),而是坚持生成自己的证书?
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/traefik.yml:/etc/traefik/traefik.yml:ro
- $PWD/certs:/certs
labels:
- traefik.enable=true
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host("traefik.network.lan")
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.service=api@internal
networks:
proxy:
external: true
$PWD/traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: true
log:
level: DEBUG
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
swarmMode: false
tls:
certificates:
- certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
options:
default:
minVersion: VersionTLS12
preferServerCipherSuites: true
mintls13:
minVersion: VersionTLS13
accessLog: {}
我已附加到 traefik 容器以验证 /etc/traefik/traefik.yml 和 /certs 中的两个证书存在。当我查看 traefik 容器的日志时,我在启动期间看到以下行(注意调试级别,表明我的配置 is 确实被读取)
traefik | time="2020-06-14T17:01:51Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik | time="2020-06-14T17:01:51Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
您的配置似乎未正确加载,请尝试使用配置文件显式配置 traefik,绕过 traefik 命令的以下参数。
- '--providers.file.filename=/etc/traefik/traefik.yml'
我认为问题出在 traefik.yml 文件中的证书。证书应该是动态配置的一部分,请参阅 https://docs.traefik.io/https/tls/#user-defined。
这意味着,您需要两件事:
- 另一个配置文件,例如
certs.yml并移动tls部分(包含certificates、stores和options部分) - 将另一个提供商添加到您的
traefik.yml文件,例如
providers:
docker:
...
file:
filename: /path/to/certs.yml