Traefik v1.7 静态证书和动态acme证书

Traefix v1.7 static certificates and dynamic acme certificates

我在 docker 中以群模式使用 traefik:1.7.6-alpine。我需要指定静态ssl证书和其他自行管理的acme证书。

这是我在提起容器时遇到的错误:

time="2020-06-18T02:45:52Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
time="2020-06-18T02:45:52Z" level=error msg="Failed to read new account, ACME data conversion is not available : unexpected end of JSON input"
time="2020-06-18T02:45:52Z" level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account : unexpected end of JSON input"
time="2020-06-18T02:45:52Z" level=info msg="Preparing server https &{Address::443 TLS:0xc000288630 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0006a45c0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2020-06-18T02:45:52Z" level=info msg="Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0006a4560} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2020-06-18T02:45:52Z" level=info msg="Starting server on :443"
time="2020-06-18T02:45:52Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0006a4580} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2020-06-18T02:45:52Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2020-06-18T02:45:52Z" level=info msg="Starting server on :8080"
time="2020-06-18T02:45:52Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"arkaangel.com\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false,\"Network\":\"\",\"SwarmModeRefreshSeconds\":15}"
time="2020-06-18T02:45:52Z" level=info msg="Starting server on :80"

这是我的traefik.toml

debug = true
logLevel = "INFO"
defaultEntryPoints = ["http", "https"]
[entryPoints]
    [entryPoints.http]
        address = ":80"
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.tls]
            [[entryPoints.https.tls.certificates]]
                certFile = "/path/to/first/first.crt"
                keyFile = "/path/to/first/first.key"
            [[entryPoints.https.tls.certificates]]
                certFile = "/path/to/second/second.crt"
                keyFile =  "/path/to/second/second.key"
[api]
  dashboard = true
  [api.statistics]
    recentErrors = 10
[docker]
  exposedbydefault = false
  watch = true
  domain = "mydomain.com"

[acme]
email = "myemail@gmail.com"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging = true
onHostRule = true
    [acme.httpChallenge]
       entryPoint = "http"
    [[acme.domains]]
       main = "third-site.com"

这就是我在 docker-compose 中挂载 acme.json 文件以保留生成的证书的方式:

volumes:
./traefik/acme/acme.json:/etc/traefik/acme/acme.json

acme.json 文件具有 600 权限和所有者 root:root .

除了显示的配置之外,我尝试过的无法生成证书的事情:

  1. 不映射 acme.json 文件而是映射父文件夹,以便 traefik 创建 acme.json 文件 (失败)
  2. 不要为 acme.json 映射任何卷,以便在删除容器时它会丢失。 (失败)
  3. 将文件 acme.json 的所有者更改为 myuser: myuser,因此容器中的用户 1000 显示为所有者 (失败)

我解决以下错误的方法:“无法读取新帐户,ACME 数据转换不可用:JSON 输入意外结束” ,正在文件 acme.json {} 中写入,显然在尝试读取空文件并将其解析为 json 时出现错误。

总结: 在要映射的主机上创建 acme.json 时,您必须执行以下操作:

touch acme.json
echo '{}'> acme.json
chmod 600 acme.json