Fatal编程技术网
  • https/
  • Https Traefik无法获取新域的SSL证书

Https Traefik无法获取新域的SSL证书

https

Https Traefik无法获取新域的SSL证书,https,lets-encrypt,traefik,consul,Https,Lets Encrypt,Traefik,Consul,我已经设置了Traefik/Docker Swarm/Let's Encrypt/Concur,它一直运行良好。它成功地为域admin.domain.tld、registry.domain.tld和staging.domain.tld获取了证书,但是现在我已经尝试添加了为domain.tld和matomo.domain.tld提供服务的容器,这些容器没有获取任何证书(浏览器警告自签名证书,因为它是默认的Traefik证书) 我的Traefik配置(正在上载到领事): 可能相关,在traefik.

我已经设置了Traefik/Docker Swarm/Let's Encrypt/Concur,它一直运行良好。它成功地为域
admin.domain.tld
registry.domain.tld
staging.domain.tld
获取了证书,但是现在我已经尝试添加了为
domain.tld
matomo.domain.tld
提供服务的容器,这些容器没有获取任何证书(浏览器警告自签名证书,因为它是默认的Traefik证书)

我的Traefik配置(正在上载到领事):

可能相关,在
traefik.log
中,我反复(几乎每秒一次)得到以下结果(但仅针对
注册表
子域)。将数据持久化到Consor听起来像是一个问题,但没有错误指示这样的问题

{"level":"debug","msg":"Looking for an existing ACME challenge for registry.domain.tld...","time":"2019-07-07T11:37:23Z"}
{"level":"debug","msg":"Looking for provided certificate to validate registry.domain.tld...","time":"2019-07-07T11:37:23Z"}
{"level":"debug","msg":"No provided certificate found for domains registry.domain.tld, get ACME certificate.","time":"2019-07-07T11:37:23Z"}
{"level":"debug","msg":"ACME got domain cert registry.domain.tld","time":"2019-07-07T11:37:23Z"}
更新:我在日志中找到了这一行:

{"level":"error","msg":"Error getting ACME certificates [matomo.domain.tld] : cannot obtain certificates: acme: Error -\u003e One or more domains had a problem:\n[matomo.domain.tld] acme: error: 400 :: urn:ietf:paramsacme:error:connection :: Fetching http://matomo.domain.tld/.well-known/acme-challenge/WJZOZ9UC1aJl9ishmL2ACKFbKoGOe_xQoSbD34v8mSk: Timeout after connect (your server may be slow or overloaded), url: \n","time":"2019-07-09T16:27:43Z"}
因此,问题似乎是由于超时而导致挑战失败。但为什么超时

更新2:更多日志条目:

{"level":"debug","msg":"Looking for an existing ACME challenge for staging.domain.tld...","time":"2019-07-10T19:38:34Z"}
{"level":"debug","msg":"Looking for provided certificate to validate staging.domain.tld...","time":"2019-07-10T19:38:34Z"}
{"level":"debug","msg":"No provided certificate found for domains staging.domain.tld, get ACME certificate.","time":"2019-07-10T19:38:34Z"}
{"level":"debug","msg":"No certificate found or generated for staging.domain.tld","time":"2019-07-10T19:38:34Z"}
{"level":"debug","msg":"http: TLS handshake error from 10.255.0.2:51981: remote error: tls: unknown certificate","time":"2019-07-10T19:38:34Z"}
但是,在几分钟到一个小时后,它就可以工作了(到目前为止有两个域)。

不确定这是一个功能还是一个bug,但是删除以下http到https重定向为我解决了这个问题:

 [entryPoints.http.redirect]
        entryPoint = "https"
遗憾的是,在我的情况下,这还不够。这对我也没有帮助-我想知道它是否错误地重定向了来自LE服务器的非TLS回复。但是,值得注意的是,当前标记为“部分服务中断”。这不是答案。我仍然收到相同的错误,并且没有启用重定向。 
 [entryPoints.http.redirect]
        entryPoint = "https"