问题描述
在尝试升级到最新的traefik版本以能够从LetsEncrypt生成TLS证书时,在证书生成时间方面遇到了一个问题。
In trying to upgrade to the latest traefik version to be able to generate TLS certs from LetsEncrypt, I've come across a problem when it comes to cert generation time.
此操作以前在 traefik:1.4
上使用 acme.ondemand
标志和其他设置(减去 httpChallenge
键)。
This worked previously on traefik:1.4
using the acme.ondemand
flag and the other settings (minus the httpChallenge
keys of course).
traefik:
image: traefik:1.5.0-rc5-alpine
ports:
- 80:80/tcp
- 443:443/tcp
command:
- --web
- --rancher
- --rancher.metadata
- --acme
- [email protected]
- --acme.onhostrule
- --acme.httpchallenge
- --acme.httpchallenge.entrypoint=http
- --acme.entrypoint=https
- --acme.storage=/data/acme.json
- --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
- --entryPoints=Name:https Address::443 TLS
- --accesslog
- --accesslog.format=json
- --debug
Openssl s_client结果为not尚未存在的证书
Openssl s_client result of not-yet-existant cert
CONNECTED(00000003)
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=TRAEFIK DEFAULT CERT
i:/CN=TRAEFIK DEFAULT CERT
---
...
Verify return code: 21 (unable to verify the first certificate)
Traefik日志
time = 2018-01-16T19:17:49Z level = debug msg =正在寻找提供的证书来验证[mysite.com] ...
time = 2018-01-16T19:17:49Z level = debug msg =未为域[mysite.com]找到提供的证书,请获取ACME证书。
time = 2018-01-16T19:17:49Z level = debug msg =正在为mysite.com寻找现有的ACME挑战...
time = 2018-01-16T19: 17:49Z level = debug msg =未为mysite.com找到或生成证书
试图缩小到一个toml
Attempting to narrow down to just a toml file with the same config to determine if that's the problem or not.
推荐答案
最后,我发现问题出在实际上
I found that in the end, the problem was actually that I didn't have a container matching the host that I was testing against, running in my cluster.
我使用的是 openssl s_client -connect,所以我没有与要测试的主机匹配的容器。
I was using openssl s_client -connect host:443 -servername mysite.com
, however I didn't realize that in the cluster I was targeting, there was no container with a label of traefik.frontend.rule=Host:mysite.com
.
因此,从traefik的角度来看,我只是得到了404,最终使用了默认的traefik证书。卷曲时-我从未获得过404,因为我从未经历过TLS握手。
Therefore, I was just getting a 404 from traefik's perspective, which ended up using the default traefik cert. When curl'ing - I never got the 404 since I never got past the TLS handshake.
这篇关于在Traefik 1.5.0-rc5中使用新的httpChallenge的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!