本文介绍了在Traefik 1.5.0-rc5中使用新的httpChallenge的问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在尝试升级到最新的traefik版本以能够从LetsEncrypt生成TLS证书时,在证书生成时间方面遇到了一个问题。

In trying to upgrade to the latest traefik version to be able to generate TLS certs from LetsEncrypt, I've come across a problem when it comes to cert generation time.

此操作以前在 traefik:1.4 上使用 acme.ondemand 标志和其他设置(减去 httpChallenge 键)。

This worked previously on traefik:1.4 using the acme.ondemand flag and the other settings (minus the httpChallenge keys of course).

traefik:
  image: traefik:1.5.0-rc5-alpine
  ports:
    - 80:80/tcp
    - 443:443/tcp
  command:
    - --web
    - --rancher
    - --rancher.metadata
    - --acme
    - [email protected]
    - --acme.onhostrule
    - --acme.httpchallenge
    - --acme.httpchallenge.entrypoint=http
    - --acme.entrypoint=https
    - --acme.storage=/data/acme.json
    - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
    - --entryPoints=Name:https Address::443 TLS
    - --accesslog
    - --accesslog.format=json
    - --debug



Openssl s_client结果为not尚未存在的证书



Openssl s_client result of not-yet-existant cert

CONNECTED(00000003)
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=TRAEFIK DEFAULT CERT
  i:/CN=TRAEFIK DEFAULT CERT
---
...
Verify return code: 21 (unable to verify the first certificate)



Traefik日志



time = 2018-01-16T19:17:49Z level = debug msg =正在寻找提供的证书来验证[mysite.com] ...
time = 2018-01-16T19:17:49Z level = debug msg =未为域[mysite.com]找到提供的证书,请获取ACME证书。
time = 2018-01-16T19:17:49Z level = debug msg =正在为mysite.com寻找现有的ACME挑战...
time = 2018-01-16T19: 17:49Z level = debug msg =未为mysite.com找到或生成证书

试图缩小到一个toml

Attempting to narrow down to just a toml file with the same config to determine if that's the problem or not.

推荐答案

最后,我发现问题出在实际上

I found that in the end, the problem was actually that I didn't have a container matching the host that I was testing against, running in my cluster.

我使用的是 openssl s_client -connect,所以我没有与要测试的主机匹配的容器。

I was using openssl s_client -connect host:443 -servername mysite.com, however I didn't realize that in the cluster I was targeting, there was no container with a label of traefik.frontend.rule=Host:mysite.com.

因此,从traefik的角度来看,我只是得到了404,最终使用了默认的traefik证书。卷曲时-我从未获得过404,因为我从未经历过TLS握手。

Therefore, I was just getting a 404 from traefik's perspective, which ended up using the default traefik cert. When curl'ing - I never got the 404 since I never got past the TLS handshake.

这篇关于在Traefik 1.5.0-rc5中使用新的httpChallenge的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-24 06:26