Docker 让'；s加密、traefik和TLS

我正在用docker和traefik设置一个gitea实例。 我希望它是安全的，让我们加密证书

我的docker-compose.yml如下所示（我希望有足够的评论）：

我认为我的设置是正确的，因为我从许多资源/论坛/stackoverflow线程中获得了灵感。 但traefik日志文件中仍有一条消息我无法解决：

time="2020-02-03T05:26:29Z" level=debug msg="Domains
[\"gitea.lutix.org\"] need ACME certificates generation for domains \"gitea.lutix.org\"." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Loading ACME certificates [gitea.lutix.org]..." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Building ACME client..." providerName=le.acme
time="2020-02-03T05:26:29Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="Using TLS Challenge provider." providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Obtaining bundled SAN certificate"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: use tls-alpn-01 solver"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Trying to solve TLS-ALPN-01"
time="2020-02-03T05:26:33Z" level=debug msg="TLS Challenge Present temp certificate for gitea.lutix.org" providerName=acme

到目前为止，一切都很好

time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54496: remote error: tls: bad certificate"
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54500: remote error: tls: bad certificate"

混乱开始了

time="2020-02-03T05:26:44Z" level=debug msg="TLS Challenge CleanUp temp certificate for gitea.lutix.org" providerName=acme
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870" time="2020-02-03T05:26:45Z" level=error msg="Unable to obtain ACME certificate for domains \"gitea.lutix.org\": unable to generate a certificate for the domains [gitea.lutix.org]: acme: Error -> One or more domains had a problem:\n[gitea.lutix.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested gitea.lutix.org from 51.178.81.120:443. Received 1 certificate(s), first certificate had names \"76d2ebffd72f6bb3d856428cc95f40dd.e9be2fb72c5ca69e4dcd01423ff5db73.traefik.default, traefik default cert\", url: \n" providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:27:08Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:08Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54504: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54512: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54516: remote error: tls: bad certificate"

我面临这个TLS握手错误的原因是什么？关于防火墙，为了测试，所有规则都已停用。 我可以做些什么来获取TLS握手失败的更多信息？

---

我是否应该切换到另一个挑战，如http或dns？

1。您的gitea路由器http未连接到入口点。我不知道是否有默认入口点，但添加“-traefik.http.routers.gitea router http.entrypoints=web”应该不会造成任何伤害。2.您尝试过http挑战吗？这是最常用的。在下面的步骤中检查利弊。您使用的是TLS-ALPN-01，根据文件“不适合大多数人”3。可能是因为您使用的是临时ca服务器吗？我不熟悉这个，所以这只是一个猜测。也许把它处理掉

time="2020-02-03T05:26:44Z" level=debug msg="TLS Challenge CleanUp temp certificate for gitea.lutix.org" providerName=acme
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870" time="2020-02-03T05:26:45Z" level=error msg="Unable to obtain ACME certificate for domains \"gitea.lutix.org\": unable to generate a certificate for the domains [gitea.lutix.org]: acme: Error -> One or more domains had a problem:\n[gitea.lutix.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested gitea.lutix.org from 51.178.81.120:443. Received 1 certificate(s), first certificate had names \"76d2ebffd72f6bb3d856428cc95f40dd.e9be2fb72c5ca69e4dcd01423ff5db73.traefik.default, traefik default cert\", url: \n" providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:27:08Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:08Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54504: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54512: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54516: remote error: tls: bad certificate"