Traefik v2 和无效的 Lets Encrypt 证书
Traefik v2 and Invalid Lets Encrypt Certificate
我在从 traefik 1 升级到 2 后生成证书时遇到问题。
我正在使用 docker 提供商,并使用标签设置所有内容。
这里是link证书测试:https://check-your-website.server-daten.de/?q=staging.evopoints.co.za
静态 traefik.yml 配置为:
global:
checkNewVersion: true
sendAnonymousUsage: false
providers:
docker:
exposedByDefault: false
watch: true
entryPoints:
web-insecure:
address: ":80"
web-secure:
address: ":443"
transport:
lifeCycle:
requestAcceptGraceTimeout: 42
graceTimeOut: 42
respondingTimeouts:
readTimeout: 42
writeTimeout: 42
idleTimeout: 42
certificatesResolvers:
letsencrypt:
acme:
email: <private-email>
storage: acme.json
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
httpChallenge:
entryPoint: web-insecure
api:
insecure: true
dashboard: true
debug: true
log:
filePath: /mnt/logs/traefik/traefik.log
level: DEBUG
accessLog:
filePath: /mnt/logs/traefik/access.log
以下是来自 docker-compose.yml 的相关片段:
version: '3'
services:
webapp:
image: <private registry>
restart: always
volumes:
... snipped list of volumes ...
labels:
- "traefik.enable=true"
# Create a bunch of required middlewares
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
- "traefik.http.middlewares.www-redirect.redirectregex.regex=^https://evopoints.co.za/(.*)"
# Note: all dollar signs need to be doubled for escaping.
- "traefik.http.middlewares.www-redirect.redirectregex.replacement=https://staging.evopoints.co.za/$"
- "traefik.http.middlewares.webapp.headers.customrequestheaders.http-x-forwarded-proto=https"
- "traefik.http.middlewares.webapp.headers.sslredirect=true"
- "traefik.http.middlewares.webapp.headers.sslforcehost=true"
- "traefik.http.middlewares.webapp.headers.sslhost=staging.evopoints.co.za"
# Insecure Entry
- "traefik.http.routers.webapp-insecure.entrypoints=web-insecure"
- "traefik.http.routers.webapp-insecure.rule=Host(`staging.evopoints.co.za`)"
- "traefik.http.routers.webapp-insecure.middlewares=https-redirect"
# Secure entry
- "traefik.http.routers.webapp.entrypoints=web-secure"
- "traefik.http.routers.webapp.rule=Host(`staging.evopoints.co.za`)"
- "traefik.http.routers.webapp.tls=true"
- "traefik.http.routers.webapp.tls.certresolver=letsencrypt"
- "traefik.http.routers.webapp.middlewares=webapp"
nginx:
image: <private_registry>
restart: always
volumes:
... snipped volumnes ...
labels:
- "traefik.enable=true"
- "traefik.http.services.nginx.loadbalancer.server.port=443"
- "traefik.http.routers.nginx.tls=true"
- "traefik.http.routers.nginx.entrypoints=web-secure"
- "traefik.http.routers.nginx.rule=Host(`staging.evopoints.co.za`) && (PathPrefix(`/static`, `/media`) || Path(`/service-worker.js`))"
traefik:
image: traefik:v2.1
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./resources/traefik/traefik.yml:/traefik.yml
- ./resources/traefik/acme.json:/acme.json
- ./logs/traefik:/mnt/logs/traefik
正如 zeitounator 在我的 post 的评论中指出的那样,解决方案。 letsencrypt 暂存环境没有正确签署证书,这是有意的,因此看起来无效。暂存环境只是为了测试证书是否真的生成了,仅此而已。
更改为生产证书解析器后,一切都按预期工作。
我在从 traefik 1 升级到 2 后生成证书时遇到问题。 我正在使用 docker 提供商,并使用标签设置所有内容。
这里是link证书测试:https://check-your-website.server-daten.de/?q=staging.evopoints.co.za
静态 traefik.yml 配置为:
global:
checkNewVersion: true
sendAnonymousUsage: false
providers:
docker:
exposedByDefault: false
watch: true
entryPoints:
web-insecure:
address: ":80"
web-secure:
address: ":443"
transport:
lifeCycle:
requestAcceptGraceTimeout: 42
graceTimeOut: 42
respondingTimeouts:
readTimeout: 42
writeTimeout: 42
idleTimeout: 42
certificatesResolvers:
letsencrypt:
acme:
email: <private-email>
storage: acme.json
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
httpChallenge:
entryPoint: web-insecure
api:
insecure: true
dashboard: true
debug: true
log:
filePath: /mnt/logs/traefik/traefik.log
level: DEBUG
accessLog:
filePath: /mnt/logs/traefik/access.log
以下是来自 docker-compose.yml 的相关片段:
version: '3'
services:
webapp:
image: <private registry>
restart: always
volumes:
... snipped list of volumes ...
labels:
- "traefik.enable=true"
# Create a bunch of required middlewares
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
- "traefik.http.middlewares.www-redirect.redirectregex.regex=^https://evopoints.co.za/(.*)"
# Note: all dollar signs need to be doubled for escaping.
- "traefik.http.middlewares.www-redirect.redirectregex.replacement=https://staging.evopoints.co.za/$"
- "traefik.http.middlewares.webapp.headers.customrequestheaders.http-x-forwarded-proto=https"
- "traefik.http.middlewares.webapp.headers.sslredirect=true"
- "traefik.http.middlewares.webapp.headers.sslforcehost=true"
- "traefik.http.middlewares.webapp.headers.sslhost=staging.evopoints.co.za"
# Insecure Entry
- "traefik.http.routers.webapp-insecure.entrypoints=web-insecure"
- "traefik.http.routers.webapp-insecure.rule=Host(`staging.evopoints.co.za`)"
- "traefik.http.routers.webapp-insecure.middlewares=https-redirect"
# Secure entry
- "traefik.http.routers.webapp.entrypoints=web-secure"
- "traefik.http.routers.webapp.rule=Host(`staging.evopoints.co.za`)"
- "traefik.http.routers.webapp.tls=true"
- "traefik.http.routers.webapp.tls.certresolver=letsencrypt"
- "traefik.http.routers.webapp.middlewares=webapp"
nginx:
image: <private_registry>
restart: always
volumes:
... snipped volumnes ...
labels:
- "traefik.enable=true"
- "traefik.http.services.nginx.loadbalancer.server.port=443"
- "traefik.http.routers.nginx.tls=true"
- "traefik.http.routers.nginx.entrypoints=web-secure"
- "traefik.http.routers.nginx.rule=Host(`staging.evopoints.co.za`) && (PathPrefix(`/static`, `/media`) || Path(`/service-worker.js`))"
traefik:
image: traefik:v2.1
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./resources/traefik/traefik.yml:/traefik.yml
- ./resources/traefik/acme.json:/acme.json
- ./logs/traefik:/mnt/logs/traefik
正如 zeitounator 在我的 post 的评论中指出的那样,解决方案。 letsencrypt 暂存环境没有正确签署证书,这是有意的,因此看起来无效。暂存环境只是为了测试证书是否真的生成了,仅此而已。
更改为生产证书解析器后,一切都按预期工作。