让我们加密/Traefik/挑战 DNS AWS NET::ERR_CERT_AUTHORITY_INVALID
Let's encrypt / Traefik / Challenge DNS AWS NET::ERR_CERT_AUTHORITY_INVALID
我使用 traefik 作为反向代理,我希望能够使用 route 53 (AWS) 提供商从 DNS 质询中生成 let's encrypt 证书。
这是我的配置:
特拉菲克:
# Traefik
traefik:
image: traefik:v2.3.6
container_name: traefik
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# - ./traefik.toml:/etc/traefik/traefik.toml
- ./acme.json:/acme.json
- traefik-public-certicate:/certifcates
ports:
- "80:80" # http
- "443:443" # https
environment:
- AWS_REGION=${AWS_REGION}
- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
- AWS_HOSTED_ZONE_ID=${AWS_HOSTED_ZONE_ID}
command:
- --api.dashboard=true
- --providers.docker=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --certificatesresolvers.default.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --entrypoints.web.http.redirections.entrypoint.permanent=true
- --certificatesresolvers.default.acme.email=example@gmail.com
- --certificatesresolvers.default.acme.storage=acme.json
- --certificatesresolvers.default.acme.dnschallenge=true
- --certificatesresolvers.default.acme.dnschallenge.provider=route53
- --certificatesresolvers.default.acme.dnschallenge.delayBeforeCheck=60
- --certificatesresolvers.default.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
- --certificatesresolvers.default.acme.dnschallenge.disablepropagationcheck=true
labels:
- traefik.enable=true
- traefik.docker.network=app
- traefik.http.routers.api.rule=Host(`${HOSTNAME}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.tls.certresolver=default
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.api.middlewares=auth # middlewares auth
- traefik.http.routers.api.tls=true
- traefik.http.routers.api.tls.domains[0].main=${HOSTNAME}
- traefik.http.routers.api.tls.domains[0].sans=*.${HOSTNAME}
- traefik.http.middlewares.auth.basicauth.users=MyUser:MyPassword
networks:
- app
示例服务:
# Ms-example
ms-example:
build: ms-example
container_name: ms-example
expose:
- "80"
volumes:
- ./ms-example/vhosts:/etc/apache2/sites-enabled
- ./ms-example/:/var/www/html/example
restart: always
labels:
- traefik.docker.network=app
- traefik.enable=true
- traefik.http.routers.ms-security.rule=Host(`${HOSTNAME}`) && PathPrefix(`/v1.0/ms-example`)
- traefik.http.routers.ms-example.entrypoints=websecure
- traefik.http.routers.ms-example.tls=true
- traefik.http.routers.ms-example.tls.certresolver=default
- traefik.http.routers.ms-example.tls.domains[0].main=${HOSTNAME}
- traefik.http.routers.ms-example.tls.domains[0].sans=*.${HOSTNAME}
networks:
- app
为 IAM 用户提供的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:ListHostedZones"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"iam:UploadServerCertificate"
],
"Resource": [
"*"
]
}
]
}
我在浏览器和邮递员上收到这样的错误:
NET::ERR_CERT_AUTHORITY_INVALID
Subject: TRAEFIK DEFAULT CERT
Issuer: TRAEFIK DEFAULT CERT
Expires on: 20 août 2022
Current date: 20 août 2021
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MYCERTIFICATE
-----END CERTIFICATE-----
如何使证书有效?我哪里错了?
如果您想了解更多信息,请不要犹豫,尤其是如果有人知道我是一个索取者。
编辑
这是我在 Traefik 日志中发现的错误:
time="2021-08-23T13:20:22Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.fr,*.mydomain.fr\" : unable to generate a certificate for the domains [mydomain.fr *.mydomain.fr]: error: one or more domains had a problem:\n[*.mydomain.fr] [*.mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: c702090f-fdcc-4364-a207-a82d58446324\n[mydomain.fr] [mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: eb5efd0e-10cd-4369-846c-e0dfe31109de\n" providerName=default.acme
mydomain 是我的域名。
据我了解,这是因为主机 ID 而被阻止,但尽管进行了大量研究,我还是不太了解这个派对。
对初始评论的总结 post:除非有充分的理由不这样做,否则最好使用 LetsEncrypt HTTP 质询。他们不需要与特定的 DNS 集成。
我使用 traefik 作为反向代理,我希望能够使用 route 53 (AWS) 提供商从 DNS 质询中生成 let's encrypt 证书。
这是我的配置:
特拉菲克:
# Traefik
traefik:
image: traefik:v2.3.6
container_name: traefik
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# - ./traefik.toml:/etc/traefik/traefik.toml
- ./acme.json:/acme.json
- traefik-public-certicate:/certifcates
ports:
- "80:80" # http
- "443:443" # https
environment:
- AWS_REGION=${AWS_REGION}
- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
- AWS_HOSTED_ZONE_ID=${AWS_HOSTED_ZONE_ID}
command:
- --api.dashboard=true
- --providers.docker=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --certificatesresolvers.default.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --entrypoints.web.http.redirections.entrypoint.permanent=true
- --certificatesresolvers.default.acme.email=example@gmail.com
- --certificatesresolvers.default.acme.storage=acme.json
- --certificatesresolvers.default.acme.dnschallenge=true
- --certificatesresolvers.default.acme.dnschallenge.provider=route53
- --certificatesresolvers.default.acme.dnschallenge.delayBeforeCheck=60
- --certificatesresolvers.default.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
- --certificatesresolvers.default.acme.dnschallenge.disablepropagationcheck=true
labels:
- traefik.enable=true
- traefik.docker.network=app
- traefik.http.routers.api.rule=Host(`${HOSTNAME}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.tls.certresolver=default
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.api.middlewares=auth # middlewares auth
- traefik.http.routers.api.tls=true
- traefik.http.routers.api.tls.domains[0].main=${HOSTNAME}
- traefik.http.routers.api.tls.domains[0].sans=*.${HOSTNAME}
- traefik.http.middlewares.auth.basicauth.users=MyUser:MyPassword
networks:
- app
示例服务:
# Ms-example
ms-example:
build: ms-example
container_name: ms-example
expose:
- "80"
volumes:
- ./ms-example/vhosts:/etc/apache2/sites-enabled
- ./ms-example/:/var/www/html/example
restart: always
labels:
- traefik.docker.network=app
- traefik.enable=true
- traefik.http.routers.ms-security.rule=Host(`${HOSTNAME}`) && PathPrefix(`/v1.0/ms-example`)
- traefik.http.routers.ms-example.entrypoints=websecure
- traefik.http.routers.ms-example.tls=true
- traefik.http.routers.ms-example.tls.certresolver=default
- traefik.http.routers.ms-example.tls.domains[0].main=${HOSTNAME}
- traefik.http.routers.ms-example.tls.domains[0].sans=*.${HOSTNAME}
networks:
- app
为 IAM 用户提供的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:ListHostedZones"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"iam:UploadServerCertificate"
],
"Resource": [
"*"
]
}
]
}
我在浏览器和邮递员上收到这样的错误:
NET::ERR_CERT_AUTHORITY_INVALID
Subject: TRAEFIK DEFAULT CERT
Issuer: TRAEFIK DEFAULT CERT
Expires on: 20 août 2022
Current date: 20 août 2021
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MYCERTIFICATE
-----END CERTIFICATE-----
如何使证书有效?我哪里错了?
如果您想了解更多信息,请不要犹豫,尤其是如果有人知道我是一个索取者。
编辑
这是我在 Traefik 日志中发现的错误:
time="2021-08-23T13:20:22Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.fr,*.mydomain.fr\" : unable to generate a certificate for the domains [mydomain.fr *.mydomain.fr]: error: one or more domains had a problem:\n[*.mydomain.fr] [*.mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: c702090f-fdcc-4364-a207-a82d58446324\n[mydomain.fr] [mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: eb5efd0e-10cd-4369-846c-e0dfe31109de\n" providerName=default.acme
mydomain 是我的域名。 据我了解,这是因为主机 ID 而被阻止,但尽管进行了大量研究,我还是不太了解这个派对。
对初始评论的总结 post:除非有充分的理由不这样做,否则最好使用 LetsEncrypt HTTP 质询。他们不需要与特定的 DNS 集成。