让我们加密/Traefik/挑战 DNS AWS NET::ERR_CERT_AUTHORITY_INVALID

Let's encrypt / Traefik / Challenge DNS AWS NET::ERR_CERT_AUTHORITY_INVALID

我使用 traefik 作为反向代理,我希望能够使用 route 53 (AWS) 提供商从 DNS 质询中生成 let's encrypt 证书。

这是我的配置:

特拉菲克:

# Traefik
  traefik:
    image: traefik:v2.3.6
    container_name: traefik
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
     # - ./traefik.toml:/etc/traefik/traefik.toml
      - ./acme.json:/acme.json
      - traefik-public-certicate:/certifcates
    ports:
      - "80:80"     # http
      - "443:443" # https
    environment:
      - AWS_REGION=${AWS_REGION}
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      - AWS_HOSTED_ZONE_ID=${AWS_HOSTED_ZONE_ID}
    command:
      - --api.dashboard=true
      - --providers.docker=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --certificatesresolvers.default.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
     # - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --certificatesresolvers.default.acme.email=example@gmail.com
      - --certificatesresolvers.default.acme.storage=acme.json
      - --certificatesresolvers.default.acme.dnschallenge=true
      - --certificatesresolvers.default.acme.dnschallenge.provider=route53
      - --certificatesresolvers.default.acme.dnschallenge.delayBeforeCheck=60
      - --certificatesresolvers.default.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
      - --certificatesresolvers.default.acme.dnschallenge.disablepropagationcheck=true
    labels:
      - traefik.enable=true
      - traefik.docker.network=app
      - traefik.http.routers.api.rule=Host(`${HOSTNAME}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      - traefik.http.routers.api.entrypoints=websecure
      - traefik.http.routers.api.tls.certresolver=default
      - traefik.http.routers.api.service=api@internal
      - traefik.http.routers.api.middlewares=auth # middlewares auth
      - traefik.http.routers.api.tls=true
      - traefik.http.routers.api.tls.domains[0].main=${HOSTNAME}
      - traefik.http.routers.api.tls.domains[0].sans=*.${HOSTNAME}
      - traefik.http.middlewares.auth.basicauth.users=MyUser:MyPassword
    networks:
      - app

示例服务:

# Ms-example
  ms-example:
    build: ms-example
    container_name: ms-example
    expose:
      - "80"
    volumes:
      - ./ms-example/vhosts:/etc/apache2/sites-enabled
      - ./ms-example/:/var/www/html/example
    restart: always
    labels:
      - traefik.docker.network=app
      - traefik.enable=true
      - traefik.http.routers.ms-security.rule=Host(`${HOSTNAME}`) && PathPrefix(`/v1.0/ms-example`)
      - traefik.http.routers.ms-example.entrypoints=websecure
      - traefik.http.routers.ms-example.tls=true
      - traefik.http.routers.ms-example.tls.certresolver=default
      - traefik.http.routers.ms-example.tls.domains[0].main=${HOSTNAME}
      - traefik.http.routers.ms-example.tls.domains[0].sans=*.${HOSTNAME}
    networks:
      - app

为 IAM 用户提供的策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:GetChange",
                "route53:ListHostedZones"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "iam:ListServerCertificates",
                "iam:GetServerCertificate",
                "iam:UploadServerCertificate"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

我在浏览器和邮递员上收到这样的错误:

NET::ERR_CERT_AUTHORITY_INVALID
Subject: TRAEFIK DEFAULT CERT

Issuer: TRAEFIK DEFAULT CERT

Expires on: 20 août 2022

Current date: 20 août 2021

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MYCERTIFICATE
-----END CERTIFICATE-----

如何使证书有效?我哪里错了?

如果您想了解更多信息,请不要犹豫,尤其是如果有人知道我是一个索取者。

编辑

这是我在 Traefik 日志中发现的错误:

time="2021-08-23T13:20:22Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.fr,*.mydomain.fr\" : unable to generate a certificate for the domains [mydomain.fr *.mydomain.fr]: error: one or more domains had a problem:\n[*.mydomain.fr] [*.mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: c702090f-fdcc-4364-a207-a82d58446324\n[mydomain.fr] [mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: eb5efd0e-10cd-4369-846c-e0dfe31109de\n" providerName=default.acme

mydomain 是我的域名。 据我了解,这是因为主机 ID 而被阻止,但尽管进行了大量研究,我还是不太了解这个派对。

对初始评论的总结 post:除非有充分的理由不这样做,否则最好使用 LetsEncrypt HTTP 质询。他们不需要与特定的 DNS 集成。