gpt4 book ai didi

lets-encrypt - Traefik 极致超时

转载 作者:行者123 更新时间:2023-12-04 13:35:48 55 4
gpt4 key购买 nike

我想得到 Traefik在 AKS 中正常工作。总的来说,它工作正常,但我无法让 ACME 证书工作。下面附上我的 traefik.toml 配置,我找不到任何奇怪的东西。

在这个用例中提到的 3 个域是虚拟的,实际上存在并且也回复

# traefik.toml
logLevel = "info"
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
[entryPoints.traefik]
address = ":8080"
[ping]
entryPoint = "http"
[kubernetes]
[traefikLog]
format = "json"
[acme]
KeyType = "RSA4096"
email = "pimjansen@domain.com"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "traefik.domain.com"
[[acme.domains]]
main = "elasticsearch.domain.com"
[[acme.domains]]
main = "kibana.domain.com"
[api]
entryPoint = "traefik"
dashboard = true

我收到的实际错误是这样的:
{"level":"error","msg":"Unable to obtain ACME certificate for domains \"traefik.hardstyletop40.com\" : unable to generate a certificate for the domains [traefik.domain.com]: acme: Error -\u003e One or more domains had a problem:\n[traefik.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://traefik.hardstyletop40.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data, url: \n","time":"2019-09-11T14:47:13Z"}

有关挑战的详细信息:
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/293838266/LPH2sA",
"token": "mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
"validationRecord": [
{
"url": "http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
"hostname": "traefik.hardstyletop40.com",
"port": "80",
"addressesResolved": [
"13.79.159.165"
],
"addressUsed": "13.79.159.165"
}
]
},

提前致谢

最佳答案

letencrypt 的工作原理是将文件放在指定网络服务器上的 .well-known 目录中。
你是说它们是虚拟的,所以你可能会在本地做它们?无论如何,如果在网络服务器上找不到自动生成的文件,则无法验证证书是从“拥有”域请求的。

流程的工作方式大大简化:

  1. letsencrypt -> generate file name: abc133......
  2. letsencrypt -> find webroot of provided domain in webserver config
  3. letsencrypt -> copy file to .well-known in webroot of given domain
  4. letsencrypt -> send a webrequest with filename and domain name to letsencrypt.org
  5. letsencrypt.org -> try to request the file from the given domain looked up via dns
  6. letsencrypt.org -> successfully requested file and verified, output certificate
  7. letsencrypt -> read certificate and copy to certificates folder, make a few symlinks
  8. letsencrypt -> modify webserver configs if needed


现在,如果您正在使用虚拟域而不是在实时服务器上,则上述过程将在第 3 步失败,这将导致第 5 步失败,从而导致您收到错误。

另一种方法是设置 DNS 记录 key 以进行验证,如果您无法在网络服务器上运行该命令来生成证书。
sudo certbot -d your.dummy.com --manual --preferred-challenges dns certonly

这将为您提供一个代码,您需要将其放入域服务器上的 txt 记录中

example of verification code

完成后,您在 letencrypt 应用程序中确认您已设置记录并继续。

简而言之,如果无法在webserver上运行命令生成证书,或者无法修改dns记录,就无法通过letsencrypt获取证书。

关于lets-encrypt - Traefik 极致超时,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57891977/

55 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com