Letsencrypt 证书已生成,但使用 dns acme challenge docker traefik 出现 TLS 错误
Letsencrypt certs generated but getting TLS error with docker traefik using dns acme challenge
我正在关注此文档 https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/ 以使用 letsencrypt
的 dns acme 挑战设置 docker traefik
我能够让每个动态请求它的服务生成证书,并在它显示的日志中显示
time="2021-08-09T21:21:27Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:27Z" level=debug msg="Domains [\"redis.example.com\"] need ACME certificates generation for domains \"redis.example.com\"." rule="Host(`redis.example.com`)" routerName=redis@docker providerName=myresolver.acme
time="2021-08-09T21:21:27Z" level=debug msg="Loading ACME certificates [redis.example.com]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Obtaining bundled SAN certificate"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/233260818"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: tls-alpn-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: http-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: use dns-01 solver"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Preparing to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] cloudflare: new record for redis.example.com, ID 8da8eadd16f8e99c8b7ce8412f124ad7"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Trying to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2021-08-09T21:21:29Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2021-08-09T21:21:30Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Waiting for DNS record propagation."
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] The server validated our request"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Cleaning DNS-01 challenge"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Validations succeeded; requesting certificates"
time="2021-08-09T21:21:42Z" level=debug msg="legolog: [INFO] [redis.example.com] Server responded with a certificate."
time="2021-08-09T21:21:42Z" level=debug msg="Certificates obtained for domains [redis.example.com]" providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:42Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) adminer.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) redis.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="No default certificate, generating one"
但是当我访问服务端点 redis.example.com 和 adminer.example.com
时仍然出现 TLS 错误
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for adminer.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=websecure
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [adminer.example.com] found in HostSNI rule" providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [redis.example.com] found in HostSNI rule" routerName=redis@docker rule="Host(`redis.example.com`)" providerName=myresolver.acme
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme routerName=redis@docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"redis.example.com\"]." providerName=myresolver.acme routerName=redis@docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"adminer.example.com\"]..." providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"adminer.example.com\"]." providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57716: remote error: tls: unknown certificate"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57718: remote error: tls: unknown certificate"
这里是./letsencrypt/acme.json
的内容
{
"myresolver": {
"Account": {
"Email": "user@email.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:user@email.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123"
},
"PrivateKey": "MIIJEjdXXXXX==",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "adminer.example.com"
},
"certificate": "LS0tXXXXX==",
"key": "LS0tLXXXXX==",
"Store": "default"
},
{
"domain": {
"main": "redis.example.com"
},
"certificate": "LS0tLXXXX",
"key": "LS0tLXXXX",
"Store": "default"
}
]
}
}
所以我缺少或需要修复什么?
这里是traefik_docker_compose.yaml文件
version: "3.9"
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=user@email.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
env_file:
- ./.env.traefik
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik_network
networks:
traefik_network:
name: traefik_network
例如 和 adminer_docker_compose.yaml 文件
version: '3.9'
services:
adminer:
image: adminer:latest
restart: always
container_name: adminer
networks:
- adminer_network
- traefik_network
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_network"
- "traefik.http.services.adminer.loadbalancer.server.port=8080"
- "traefik.http.routers.adminer.entrypoints=web"
- "traefik.http.routers.adminer.rule=Host(`adminer.example.com`)"
- "traefik.http.routers.adminer.tls.certresolver=myresolver"
networks:
adminer_network:
name: adminer_network
traefik_network:
external:
name: traefik_network
如何修复 TLS 错误?
所有配置都正确,唯一的问题是从暂存服务器切换到实时测试
在 traefik_docker_compose.yaml 文件中注释了以下行
...
...
...
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
...
...
...
删除了./letsencrypt/文件夹的内容或删除了acme文件./letsencrypt/acme.json
然后重新启动traefik
我正在关注此文档 https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/ 以使用 letsencrypt
的 dns acme 挑战设置 docker traefik我能够让每个动态请求它的服务生成证书,并在它显示的日志中显示
time="2021-08-09T21:21:27Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:27Z" level=debug msg="Domains [\"redis.example.com\"] need ACME certificates generation for domains \"redis.example.com\"." rule="Host(`redis.example.com`)" routerName=redis@docker providerName=myresolver.acme
time="2021-08-09T21:21:27Z" level=debug msg="Loading ACME certificates [redis.example.com]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Obtaining bundled SAN certificate"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/233260818"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: tls-alpn-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: http-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: use dns-01 solver"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Preparing to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] cloudflare: new record for redis.example.com, ID 8da8eadd16f8e99c8b7ce8412f124ad7"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Trying to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2021-08-09T21:21:29Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2021-08-09T21:21:30Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Waiting for DNS record propagation."
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] The server validated our request"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Cleaning DNS-01 challenge"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Validations succeeded; requesting certificates"
time="2021-08-09T21:21:42Z" level=debug msg="legolog: [INFO] [redis.example.com] Server responded with a certificate."
time="2021-08-09T21:21:42Z" level=debug msg="Certificates obtained for domains [redis.example.com]" providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:42Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) adminer.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) redis.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="No default certificate, generating one"
但是当我访问服务端点 redis.example.com 和 adminer.example.com
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for adminer.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=websecure
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [adminer.example.com] found in HostSNI rule" providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [redis.example.com] found in HostSNI rule" routerName=redis@docker rule="Host(`redis.example.com`)" providerName=myresolver.acme
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme routerName=redis@docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"redis.example.com\"]." providerName=myresolver.acme routerName=redis@docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"adminer.example.com\"]..." providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"adminer.example.com\"]." providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57716: remote error: tls: unknown certificate"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57718: remote error: tls: unknown certificate"
这里是./letsencrypt/acme.json
{
"myresolver": {
"Account": {
"Email": "user@email.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:user@email.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123"
},
"PrivateKey": "MIIJEjdXXXXX==",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "adminer.example.com"
},
"certificate": "LS0tXXXXX==",
"key": "LS0tLXXXXX==",
"Store": "default"
},
{
"domain": {
"main": "redis.example.com"
},
"certificate": "LS0tLXXXX",
"key": "LS0tLXXXX",
"Store": "default"
}
]
}
}
所以我缺少或需要修复什么?
这里是traefik_docker_compose.yaml文件
version: "3.9"
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=user@email.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
env_file:
- ./.env.traefik
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik_network
networks:
traefik_network:
name: traefik_network
和 adminer_docker_compose.yaml 文件
version: '3.9'
services:
adminer:
image: adminer:latest
restart: always
container_name: adminer
networks:
- adminer_network
- traefik_network
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_network"
- "traefik.http.services.adminer.loadbalancer.server.port=8080"
- "traefik.http.routers.adminer.entrypoints=web"
- "traefik.http.routers.adminer.rule=Host(`adminer.example.com`)"
- "traefik.http.routers.adminer.tls.certresolver=myresolver"
networks:
adminer_network:
name: adminer_network
traefik_network:
external:
name: traefik_network
如何修复 TLS 错误?
所有配置都正确,唯一的问题是从暂存服务器切换到实时测试
在 traefik_docker_compose.yaml 文件中注释了以下行
...
...
...
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
...
...
...
删除了./letsencrypt/文件夹的内容或删除了acme文件./letsencrypt/acme.json
然后重新启动traefik