gpt4 book ai didi

docker - Traefik SSL 配置

转载 作者:太空宇宙 更新时间:2023-11-03 13:59:45 29 4
gpt4 key购买 nike

所以,我正在尝试将我的 docker swarm 与 traefik 部署到一个 digital ocean 水滴集群中。我使用 traefik 作为我的反向代理和负载平衡器,所以我必须使用 traefik 获得 SSL 证书。该文档看起来很简单,所以我真的不明白我的配置出了什么问题。我希望你们能阐明我做错了什么。我使用通配符域让我的大部分服务作为我的根域的子域运行。所以这是我的 toml:

debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]

[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]

[retry]

[docker]
endpoint="unix:///var/run/docker.sock"
exposedByDefault=true
watch=true
swarmmode=true
domain="mouv.com"

[acme]
email = "leonardo@mouv.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
# caServer = "https://acme-v02.api.letsencrypt.org/directory"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.mouv.com"
sans = ["mouv.com"]

这是我的 docker-stack.yml

version: '3.6'

services:
traefik:
image: traefik:latest
networks:
- mouv-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
ports:
- "80:80"
- "443:443"
- "8080:8080"
command: --api
environment:
DO_AUTH_TOKEN: "xxxxxxxxxxxxxxxx"
deploy:
placement:
constraints: [node.role==manager]

user:
image: hollarves/users-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8500"
- "traefik.backend=user"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:user.mouv.com"

balances:
image: hollarves/balances-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8010"
- "traefik.backend=balance"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:balance.mouv.com"

# this container is not part of traefik's network.
firebase:
image: hollarves/firebase-mouv:latest
networks:
- firebase-net

[ ..... more containers ..... ]

networks:
mouv-net:
driver: overlay

[ .... more networks .... ]

我在日志中也看到了这个错误

mueve-stack_traefik.1.ndgfhj96lymx@node-1    | time="2019-02-19T13:15:46Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:50668: remote error: tls: unknown certificate authority"

还有这个:

mueve-stack_traefik.1.igy1ilch6wl1@node-1    | time="2019-02-19T13:22:00Z" level=info msg="legolog: [WARN] [mueve.com] acme: error cleaning up: digitalocean: unknown record ID for '_acme-challenge.mueve.com.' "

当我尝试导航到我的子域服务之一时,我得到了

subdomain.mouv.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for 9a11926d7857657613b65578dfebc69f.8066eec25224a58acabd968e285babdf.traefik.default.

在我的 digital ocean 域配置中,我几乎只是添加一个指向我的管理器节点 IP 的 A 记录和一个 *.mouv.com 的 CNAME 记录

最佳答案

Let's Encrypt staging (caServer = "https://acme-staging-v02.api.letsencrypt.org/directory") 提供的证书不是有效证书,这很正常。

https://letsencrypt.org/docs/staging-environment/

The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.

要获得有效证书,您必须使用 Let's Encrypt 生产端点 (caServer = "https://acme-v02.api.letsencrypt.org/directory")

关于docker - Traefik SSL 配置,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54767496/

29 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com