gpt4 book ai didi

Docker Traefik 无法解析 DNS(无法到达服务器并获取证书)

转载 作者:行者123 更新时间:2023-12-02 19:49:08 24 4
gpt4 key购买 nike

谷歌搜索以下问题表明这不是第一次发布,但是,他们都没有真正给出答案。

在 Docker 中将 Traefik(又名 v2.2.1 又名最新版本)作为容器启动时,无论我尝试什么,对于所有配置的域,我都会不断收到以下错误:

time="2020-05-24T15:48:57Z" level=error msg="Unable to obtain ACME certificate for domains \"<my domain>\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:44687->127.0.0.11:53: i/o timeout" routerName=traefik@docker rule="Host(`<my domain>`)" providerName=le.acme

检查 https://letsencrypt.status.io/似乎不是 Let's Encrypt 的服务器的问题

enter image description here
enter image description here

我在服务器 Debian 10、Ubuntu Server 18.04 和 20.04 上尝试了两种不同的操作系统。在安装操作系统时,我总是遵循我在这里为自己创建的指南: https://gist.github.com/D3strukt0r/5aaba1a021d16b31fa19adf6eb26a102

是的,我在系统中做的尽可能少,而在容器中做的尽可能多。

以下是我的 docker-compose.yml对于 Traefik

version: "2"

# Manage domain access to services
services:
traefik:
container_name: traefik
image: traefik
command:
- --log.level=DEBUG
- --api.dashboard=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=traefik_proxy
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.le.acme.email=${ACME_EMAIL}
- --certificatesresolvers.le.acme.storage=acme.json
- --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
# - --certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
restart: always
networks:
- traefik_proxy
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
#- ./acme.json:/acme.json
- ./acme_testing.json:/acme.json
environment:
CF_API_EMAIL: ${CF_API_EMAIL}
CF_API_KEY: ${CF_API_KEY}
labels:
- traefik.enable=true

- traefik.http.routers.traefik0.entrypoints=http
- traefik.http.routers.traefik0.rule=Host(`<my domain>`)
- traefik.http.routers.traefik0.middlewares=to_https

- traefik.http.routers.traefik.entrypoints=https
- traefik.http.routers.traefik.rule=Host(`<my domain>`)
- traefik.http.routers.traefik.middlewares=traefik_auth
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=le
- traefik.http.routers.traefik.service=api@internal

# Declaring the user list
#
# Note: all dollar signs in the hash need to be doubled for escaping.
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
- traefik.http.middlewares.traefik_auth.basicauth.users=${TRAEFIK_USERS}

# Standard middleware for other containers to use
- traefik.http.middlewares.to_https.redirectscheme.scheme=https
- traefik.http.middlewares.to_https_perm.redirectscheme.scheme=https
- traefik.http.middlewares.to_https_perm.redirectscheme.permanent=true

networks:
traefik_proxy:
external: true

里面的文件夹结构:
root@server:/opt/traefik# ls -Al
total 8
-rw------- 1 root root 0 May 24 00:37 acme.json
-rw------- 1 root root 0 May 24 00:37 acme_testing.json
-rw-rw-r-- 1 root docker 2406 May 24 18:04 docker-compose.yml
-rw-rw-r-- 1 root docker 185 May 23 23:49 .env

这就是配置的全部内容。

一个 nslookup外部将给出以下信息:
root@server:/opt/traefik# nslookup acme-staging-v02.api.letsencrypt.org
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
acme-staging-v02.api.letsencrypt.org canonical name = staging.api.letsencrypt.org.
staging.api.letsencrypt.org canonical name = 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com.
Name: 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Address: 172.65.46.172
Name: 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Address: 2606:4700:60:0:f41b:d4fe:4325:6026

一个 nslookup里面的容器将给出以下内容:
manuele@server:/opt$ docker exec -it traefik /bin/sh
/ # nslookup acme-staging-v02.api.letsencrypt.org
;; connection timed out; no servers could be reached

也许更多信息,这里也是日志
root@server:/opt/traefik# docker-compose up
Recreating traefik ... done
Attaching to traefik
traefik | time="2020-05-24T16:05:34Z" level=info msg="Configuration loaded from flags."
traefik | time="2020-05-24T16:05:34Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik_proxy\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"le\":{\"acme\":{\"email\":\"<ACME Email>\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"}}}}}"
traefik | time="2020-05-24T16:05:34Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
traefik | time="2020-05-24T16:05:34Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Start TCP Server" entryPointName=https
traefik | time="2020-05-24T16:05:34Z" level=info msg="Starting provider *acme.Provider {\"email\":\"<ACME Email>\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"le\",\"store\":{},\"ChallengeStore\":{}}"
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Start TCP Server" entryPointName=http
traefik | time="2020-05-24T16:05:34Z" level=info msg="Testing certificate renew..." providerName=le.acme
traefik | time="2020-05-24T16:05:34Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik_proxy\",\"swarmModeRefreshSeconds\":15000000000}"
traefik | time="2020-05-24T16:05:34Z" level=info msg="Starting provider *traefik.Provider {}"
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Configuration received from provider le.acme: {\"http\":{},\"tls\":{}}" providerName=le.acme
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik | time="2020-05-24T16:05:34Z" level=debug msg="No default certificate, generating one"
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Provider connection established with docker 19.03.9 (API 1.40)" providerName=docker
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"traefik\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"traefik_auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`<my domain>`)\",\"tls\":{\"certResolver\":\"le\"}},\"traefik0\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"to_https\"],\"service\":\"traefik-traefik\",\"rule\":\"Host(`<my domain>`)\"}},\"services\":{\"traefik-traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"to_https\":{\"redirectScheme\":{\"scheme\":\"https\"}},\"to_https_perm\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}},\"traefik_auth\":{\"basicAuth\":{\"users\":[\"<traefik users>\"]}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
traefik | time="2020-05-24T16:05:34Z" level=debug msg="No default certificate, generating one"
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" serviceName=traefik-traefik entryPointName=http routerName=traefik0@docker middlewareName=pipelining middlewareType=Pipelining
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Creating load-balancer" entryPointName=http routerName=traefik0@docker serviceName=traefik-traefik
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Creating server 0 http://172.18.0.2:80" routerName=traefik0@docker serviceName=traefik-traefik serverName=0 entryPointName=http
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Added outgoing tracing middleware traefik-traefik" middlewareType=TracingForwarder routerName=traefik0@docker entryPointName=http middlewareName=tracing
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" entryPointName=http routerName=traefik0@docker middlewareName=to_https@docker middlewareType=RedirectScheme
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Setting up redirection to https " entryPointName=http routerName=traefik0@docker middlewareName=to_https@docker middlewareType=RedirectScheme
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Adding tracing to middleware" entryPointName=http routerName=traefik0@docker middlewareName=to_https@docker
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=http middlewareName=traefik-internal-recovery
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=https routerName=traefik@docker
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" middlewareType=BasicAuth routerName=traefik@docker entryPointName=https middlewareName=traefik_auth@docker
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Adding tracing to middleware" routerName=traefik@docker middlewareName=traefik_auth@docker entryPointName=https
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik | time="2020-05-24T16:05:34Z" level=debug msg="No default certificate, generating one"
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Try to challenge certificate for domain [<my domain>] found in HostSNI rule" providerName=le.acme rule="Host(`<my domain>`)" routerName=traefik@docker
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Looking for provided certificate(s) to validate [\"<my domain>\"]..." providerName=le.acme rule="Host(`<my domain>`)" routerName=traefik@docker
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Domains [\"<my domain>\"] need ACME certificates generation for domains \"<my domain>\"." providerName=le.acme rule="Host(`<my domain>`)" routerName=traefik@docker
traefik | time="2020-05-24T16:05:34Z" level=debug msg="Loading ACME certificates [<my domain>]..." providerName=le.acme rule="Host(`<my domain>`)" routerName=traefik@docker
traefik | time="2020-05-24T16:05:35Z" level=debug msg="Building ACME client..." providerName=le.acme
traefik | time="2020-05-24T16:05:35Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
traefik | time="2020-05-24T16:05:55Z" level=error msg="Unable to obtain ACME certificate for domains \"<my domain>\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:49272->127.0.0.11:53: i/o timeout" routerName=traefik@docker providerName=le.acme rule="Host(`<my domain>`)"

现在的另一个选择是使用 docker run ...相反,让我们尝试:

docker run -it \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /opt/traefik/acme_testing.json:/acme.json \
-e CF_API_EMAIL="<Cloudflare Email>" \
-e CF_API_KEY="<Cloudflare API>" \
-p 80:80 \
-p 443:443 \
--network traefik_proxy \
--name traefik \
traefik \
--log.level=DEBUG \
--api.dashboard=true \
--providers.docker=true \
--providers.docker.exposedbydefault=false \
--providers.docker.network=traefik_proxy \
--entrypoints.http.address=:80 \
--entrypoints.https.address=:443 \
--certificatesresolvers.le.acme.email="<ACME Email>" \
--certificatesresolvers.le.acme.storage=acme.json \
--certificatesresolvers.le.acme.caserver="https://acme-staging-v02.api.letsencrypt.org/directory" \
--certificatesresolvers.le.acme.dnschallenge=true \
--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare

这使:
root@server:/opt/traefik# docker exec -it traefik /bin/sh
/ # nslookup acme-staging-v02.api.letsencrypt.org
;; connection timed out; no servers could be reached

好的,在没有网络的情况下重试:

docker run -it \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /opt/traefik/acme_testing.json:/acme.json \
-e CF_API_EMAIL="<Cloudflare Email>" \
-e CF_API_KEY="<Cloudflare API>" \
-p 80:80 \
-p 443:443 \
--name traefik \
traefik \
--log.level=DEBUG \
--api.dashboard=true \
--providers.docker=true \
--providers.docker.exposedbydefault=false \
--providers.docker.network=traefik_proxy \
--entrypoints.http.address=:80 \
--entrypoints.https.address=:443 \
--certificatesresolvers.le.acme.email="<ACME Email>" \
--certificatesresolvers.le.acme.storage=acme.json \
--certificatesresolvers.le.acme.caserver="https://acme-staging-v02.api.letsencrypt.org/directory" \
--certificatesresolvers.le.acme.dnschallenge=true \
--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare

这导致:
root@server:/opt/traefik# docker exec -it traefik /bin/sh
/ # nslookup acme-staging-v02.api.letsencrypt.org
nslookup: write to '192.168.1.233': Connection refused
Server: 192.168.1.1
Address: 192.168.1.1:53

Non-authoritative answer:
acme-staging-v02.api.letsencrypt.org canonical name = staging.api.letsencrypt.org
staging.api.letsencrypt.org canonical name = 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Name: 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Address: 172.65.46.172

Non-authoritative answer:
acme-staging-v02.api.letsencrypt.org canonical name = staging.api.letsencrypt.org
staging.api.letsencrypt.org canonical name = 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Name: 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Address: 2606:4700:60:0:f41b:d4fe:4325:6026

通过所有这些,acme 文件一直是空的,所以问题仍然存在。
root@server:/opt/traefik# ls -Al
total 12
-rw------- 1 root root 0 May 24 00:37 acme.json
-rw------- 1 root root 0 May 24 00:37 acme_testing.json
-rw-rw-r-- 1 root docker 2406 May 24 18:04 docker-compose.yml
-rw-rw-r-- 1 root docker 185 May 23 23:49 .env

如果有人可以帮助解决这个问题,非常感谢您提前。

如果您需要比我添加的所有内容更多的信息,请随时告诉我,我会提供。

最佳答案

所以,经过几个小时的修修补补,我发现这是一个存在于 docker-compose 宇宙中的问题。解决这个问题实际上非常简单。

在每个需要与外界通信的容器中添加以下内容:

version: "2"

services:
<the service>:
...
dns:
- 1.1.1.1
- 1.0.0.1
...

这将告诉容器内的 DNS 解析器(位于 127.0.0.11 下)使用这些域,而不是阻止它与外界通信的任何东西。

关于Docker Traefik 无法解析 DNS(无法到达服务器并获取证书),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61989108/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com