自签名 TLS 证书 traefik
Self assigned TLS sertificate traefik
我的问题是自分配证书而不是 lets-encrypt 证书
docker-compose.yml:
version: "3.7"
services:
traefik:
image: traefik
command:
- --api
- --providers.docker
- --providers.docker.exposedbydefault=false
ports:
- 8080:8080
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/data/traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock
networks:
- public
- private
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`dashboard.example.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:admin"
replicas: 1
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
服务标签
- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.registry.tls.domains[0].main=example.com"
- "traefik.http.routers.registry.tls.domains[0].sans=*.example.com"
- "traefik.http.routers.gites.tls.certresolver=resolver"
- "traefik.http.services.gitea-svc.loadbalancer.server.port=3000"
traefik.yml:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
resolver:
acme:
email: mail@example.com
storage: acme.json
tlsChallenge: {}
这是我在 Firefox 中得到的:
这是发生的,因为浏览器采用 traefik 默认证书,但必须有 lets-encrypt 证书
通过日志级别调试我得到
level=debug msg="http: TLS handshake error from 192.168.80.1:53932: remote error: tls: bad certificate"
我解决了我的问题
docker-compose.yml:
version: "3.7"
services:
traefik:
image: traefik:v2.2.11
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/data/traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock
- /etc/data/letsencrypt:/letsencrypt
networks:
- public
- private
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=Host(`dashboard.example.com`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=web"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`dashboard.example.com`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=resolver"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
gitea:
image: gitea/gitea:latest
environment:
- APP_NAME=Gitea
- USER_UID=1000
- USER_GID=1000
- ROOT_URL=https://gitea.example.com
- SSH_DOMAIN=gitea.example.com
- SSH_PORT=2222
- HTTP_PORT=3000
- DB_TYPE=postgres
- DB_HOST=gitea-db:5432
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=gitea
volumes:
- gitea_app:/data
ports:
- 2222:2222
networks:
- public
- private
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.entrypoints=web"
- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.middlewares.gitea-https-redirect.redirectscheme.scheme=websecure"
- "traefik.http.routers.gitea.middlewares=gitea-https-redirect"
- "traefik.http.routers.gitea-secure.entrypoints=websecure"
- "traefik.http.routers.gitea-secure.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea-secure.tls=true"
- "traefik.http.routers.gitea-secure.tls.certresolver=resolver"
- "traefik.http.routers.gitea-secure.service=gitea"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.docker.network=public"
gitea-db:
image: postgres:alpine
volumes:
- gitea_db:/var/lib/postgresql/data
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
networks:
- private
traefik.yml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
api:
dashboard: true
log:
level: DEBUG
providers:
docker:
exposedbydefault: false
endpoint: "unix:///var/run/docker.sock"
swarmMode: true
certificatesResolvers:
resolver:
acme:
email: mail@example.com
storage: letsencrypt/acme.json
httpChallenge:
entryPoint: web
我还有一个用于 acme.json 文件的 letsencrypt 空文件夹
我的问题是自分配证书而不是 lets-encrypt 证书
docker-compose.yml:
version: "3.7"
services:
traefik:
image: traefik
command:
- --api
- --providers.docker
- --providers.docker.exposedbydefault=false
ports:
- 8080:8080
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/data/traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock
networks:
- public
- private
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`dashboard.example.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:admin"
replicas: 1
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
服务标签
- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.registry.tls.domains[0].main=example.com"
- "traefik.http.routers.registry.tls.domains[0].sans=*.example.com"
- "traefik.http.routers.gites.tls.certresolver=resolver"
- "traefik.http.services.gitea-svc.loadbalancer.server.port=3000"
traefik.yml:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
resolver:
acme:
email: mail@example.com
storage: acme.json
tlsChallenge: {}
这是我在 Firefox 中得到的:
这是发生的,因为浏览器采用 traefik 默认证书,但必须有 lets-encrypt 证书
通过日志级别调试我得到
level=debug msg="http: TLS handshake error from 192.168.80.1:53932: remote error: tls: bad certificate"
我解决了我的问题
docker-compose.yml:
version: "3.7"
services:
traefik:
image: traefik:v2.2.11
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/data/traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock
- /etc/data/letsencrypt:/letsencrypt
networks:
- public
- private
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=Host(`dashboard.example.com`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=web"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`dashboard.example.com`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=resolver"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
gitea:
image: gitea/gitea:latest
environment:
- APP_NAME=Gitea
- USER_UID=1000
- USER_GID=1000
- ROOT_URL=https://gitea.example.com
- SSH_DOMAIN=gitea.example.com
- SSH_PORT=2222
- HTTP_PORT=3000
- DB_TYPE=postgres
- DB_HOST=gitea-db:5432
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=gitea
volumes:
- gitea_app:/data
ports:
- 2222:2222
networks:
- public
- private
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.entrypoints=web"
- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.middlewares.gitea-https-redirect.redirectscheme.scheme=websecure"
- "traefik.http.routers.gitea.middlewares=gitea-https-redirect"
- "traefik.http.routers.gitea-secure.entrypoints=websecure"
- "traefik.http.routers.gitea-secure.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea-secure.tls=true"
- "traefik.http.routers.gitea-secure.tls.certresolver=resolver"
- "traefik.http.routers.gitea-secure.service=gitea"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.docker.network=public"
gitea-db:
image: postgres:alpine
volumes:
- gitea_db:/var/lib/postgresql/data
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
networks:
- private
traefik.yml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
api:
dashboard: true
log:
level: DEBUG
providers:
docker:
exposedbydefault: false
endpoint: "unix:///var/run/docker.sock"
swarmMode: true
certificatesResolvers:
resolver:
acme:
email: mail@example.com
storage: letsencrypt/acme.json
httpChallenge:
entryPoint: web
我还有一个用于 acme.json 文件的 letsencrypt 空文件夹