Docker 带有Letsencrypt的Traefik V2.0无法为域生成证书
我正在用Whoami进行测试,发现生成证书的问题 没有在acme.json文件中生成任何证书,站点正在使用来自Traefik的默认证书,导航器认为该证书无效 以下是错误:Docker 带有Letsencrypt的Traefik V2.0无法为域生成证书,docker,https,docker-compose,lets-encrypt,traefik,Docker,Https,Docker Compose,Lets Encrypt,Traefik,我正在用Whoami进行测试,发现生成证书的问题 没有在acme.json文件中生成任何证书,站点正在使用来自Traefik的默认证书,导航器认为该证书无效 以下是错误: traefik | time="2019-10-14T21:16:15Z" level=error msg="Unable to obtain ACME certificate for domains \"inner-whoami.mysite.com\": unable to generate a certi
traefik | time="2019-10-14T21:16:15Z" level=error msg="Unable to obtain ACME certificate for domains \"inner-whoami.mysite.com\": unable to generate a certificate for the domains [inner-whoami.mysite.com]: acme: Error -> One or more domains had a problem:\n[inner-whoami.mysite.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://inner-whoami.mysite.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxx [51.75.207.100]: \"Hostname: xxxxxxxxxx\\nIP: 127.0.0.1\\nIP: 172.18.0.2\\nRemoteAddr: 172.18.0.3:55692\\nGET /.well-known/acme-challenge/xxxxxxxxxx\", url: \n" rule="Host(`inner-whoami.mysite.com`)" routerName=inner-whoami-secured providerName=myhttpchallenge.acme
traefik | time="2019-10-14T21:16:17Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxx"
这是docker-compose.yml文件。所有的东西都在里面。如您所见,这是一个准备进一步部署的测试。不是实际的生产文件。我需要先解决此问题,然后才能在服务器范围内使用Traefik
version: "3.3"
networks:
# Allow the use of traefik in other docker-compose.yml files
traefik:
external: true
services:
traefik:
image: "traefik:v2.0"
container_name: "traefik"
command:
# Only for development environment
- "--log.level=DEBUG"
- "--api.insecure=true"
# Get Docker as the provider
- "--providers.docker=true"
# Avoid that all containers are exposed
- "--providers.docker.exposedbydefault=false"
# Settle the ports for the entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.web-secure.address=:443"
# Settle the autentification method to http challenge
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web-secure"
# Uncomment this to get a fake certificate when testing
#- "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
# Settle letsencrypt as the certificate provider
- "--certificatesresolvers.myhttpchallenge.acme.email=me@mail.com"
- "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- "traefik"
volumes:
# Store certificates in ./letsencrypt/acme.json
- "./letsencrypt:/letsencrypt"
# Connect to Doker socket
- "/var/run/docker.sock:/var/run/docker.sock:ro"
inner-whoami:
image: "containous/whoami"
container_name: "inner-whoami"
networks:
- "traefik"
labels:
- "traefik.enable=true"
# Get the routes from http
- "traefik.http.routers.inner-whoami.rule=Host(`inner-whoami.mysite.com`)"
- "traefik.http.routers.inner-whoami.entrypoints=web"
# Redirect these routes to https
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.inner-whoami.middlewares=redirect-to-https@docker"
# Get the routes from https
- "traefik.http.routers.inner-whoami-secured.rule=Host(`inner-whoami.mysite.com`)"
- "traefik.http.routers.inner-whoami-secured.entrypoints=web-secure"
# Apply autentificiation with http challenge
- "traefik.http.routers.inner-whoami-secured.tls=true"
- "traefik.http.routers.inner-whoami-secured.tls.certresolver=myhttpchallenge"
你试过用你的真实网址而不是mysite.com吗 您可能需要将http质询的入口点从web安全更改为web,即: --certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web 或改用:
--certificatesresolvers.myhttpchallenge.acme.tlschallenge=true您是否检查了错误输出第二行链接中的json https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxx
此链接包含有关挑战未通过的更多信息。如果它抱怨找不到A记录,我可能有一个解决方案。在我的情况下,我需要添加一个MX记录到我的DNS设置为我的域。否则一些DNS服务器将无法接收它。我用dig sub.mydomain.com@8.8.8.8测试了这一点,它给出了一个没有MX记录的SERVFAIL。ok,docker在-./letsencrypt:/letsencrypt?docker创建了文件夹,所以我想是的。它在根rw上。我试着把它卖给我的用户。这并没有改变行为。