自签名 TLS 证书 traefik

Self assigned TLS sertificate traefik

我的问题是自分配证书而不是 lets-encrypt 证书
docker-compose.yml:

version: "3.7"

services:
  traefik:
    image: traefik
    command:
      - --api
      - --providers.docker
      - --providers.docker.exposedbydefault=false
    ports:
      - 8080:8080
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/data/traefik.yml:/etc/traefik/traefik.yml
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - public
      - private
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.dashboard.rule=Host(`dashboard.example.com`)"
        - "traefik.http.routers.dashboard.service=api@internal"
        - "traefik.http.routers.dashboard.middlewares=auth"
        - "traefik.http.middlewares.auth.basicauth.users=admin:admin"
      replicas: 1
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        delay: 10s
      restart_policy:
        condition: on-failure

服务标签

- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.registry.tls.domains[0].main=example.com"
- "traefik.http.routers.registry.tls.domains[0].sans=*.example.com"
- "traefik.http.routers.gites.tls.certresolver=resolver"
- "traefik.http.services.gitea-svc.loadbalancer.server.port=3000"

traefik.yml:

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

certificatesResolvers:
  resolver:
    acme:
      email: mail@example.com
      storage: acme.json
      tlsChallenge: {}

这是我在 Firefox 中得到的:

这是发生的,因为浏览器采用 traefik 默认证书,但必须有 lets-encrypt 证书
通过日志级别调试我得到

level=debug msg="http: TLS handshake error from 192.168.80.1:53932: remote error: tls: bad certificate"

我解决了我的问题

docker-compose.yml:

version: "3.7"


services:
  traefik:
    image: traefik:v2.2.11
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/data/traefik.yml:/etc/traefik/traefik.yml
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/data/letsencrypt:/letsencrypt
    networks:
      - public
      - private
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`dashboard.example.com`)"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=web"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`dashboard.example.com`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=resolver"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      
  gitea:
    image: gitea/gitea:latest
    environment:
      - APP_NAME=Gitea
      - USER_UID=1000
      - USER_GID=1000
      - ROOT_URL=https://gitea.example.com
      - SSH_DOMAIN=gitea.example.com
      - SSH_PORT=2222
      - HTTP_PORT=3000
      - DB_TYPE=postgres
      - DB_HOST=gitea-db:5432
      - DB_NAME=gitea
      - DB_USER=gitea
      - DB_PASSWD=gitea
    volumes:
      - gitea_app:/data
    ports:
      - 2222:2222
    networks:
      - public
      - private
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitea.entrypoints=web"
      - "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
      - "traefik.http.middlewares.gitea-https-redirect.redirectscheme.scheme=websecure"
      - "traefik.http.routers.gitea.middlewares=gitea-https-redirect"
      - "traefik.http.routers.gitea-secure.entrypoints=websecure"
      - "traefik.http.routers.gitea-secure.rule=Host(`gitea.example.com`)"
      - "traefik.http.routers.gitea-secure.tls=true"
      - "traefik.http.routers.gitea-secure.tls.certresolver=resolver"
      - "traefik.http.routers.gitea-secure.service=gitea"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
      - "traefik.docker.network=public"

  gitea-db:
    image: postgres:alpine
    volumes:
      - gitea_db:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD=gitea
      - POSTGRES_DB=gitea
    networks:
      - private

traefik.yml

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

api:
  dashboard: true

log:
  level: DEBUG

providers:
  docker:
    exposedbydefault: false
    endpoint: "unix:///var/run/docker.sock"
    swarmMode: true
    
certificatesResolvers:
  resolver:
    acme:
      email: mail@example.com
      storage: letsencrypt/acme.json
      httpChallenge: 
        entryPoint: web

我还有一个用于 acme.json 文件的 letsencrypt 空文件夹