【发布时间】:2021-10-22 04:40:52
【问题描述】:
我使用 traefik 作为反向代理,我希望能够使用 route 53 (AWS) 提供商从 DNS 挑战中生成一个 let's encrypt 证书。
这是我的配置:
Traefik:
# Traefik
traefik:
image: traefik:v2.3.6
container_name: traefik
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# - ./traefik.toml:/etc/traefik/traefik.toml
- ./acme.json:/acme.json
- traefik-public-certicate:/certifcates
ports:
- "80:80" # http
- "443:443" # https
environment:
- AWS_REGION=${AWS_REGION}
- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
- AWS_HOSTED_ZONE_ID=${AWS_HOSTED_ZONE_ID}
command:
- --api.dashboard=true
- --providers.docker=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --certificatesresolvers.default.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --entrypoints.web.http.redirections.entrypoint.permanent=true
- --certificatesresolvers.default.acme.email=example@gmail.com
- --certificatesresolvers.default.acme.storage=acme.json
- --certificatesresolvers.default.acme.dnschallenge=true
- --certificatesresolvers.default.acme.dnschallenge.provider=route53
- --certificatesresolvers.default.acme.dnschallenge.delayBeforeCheck=60
- --certificatesresolvers.default.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
- --certificatesresolvers.default.acme.dnschallenge.disablepropagationcheck=true
labels:
- traefik.enable=true
- traefik.docker.network=app
- traefik.http.routers.api.rule=Host(`${HOSTNAME}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.tls.certresolver=default
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.api.middlewares=auth # middlewares auth
- traefik.http.routers.api.tls=true
- traefik.http.routers.api.tls.domains[0].main=${HOSTNAME}
- traefik.http.routers.api.tls.domains[0].sans=*.${HOSTNAME}
- traefik.http.middlewares.auth.basicauth.users=MyUser:MyPassword
networks:
- app
示例服务:
# Ms-example
ms-example:
build: ms-example
container_name: ms-example
expose:
- "80"
volumes:
- ./ms-example/vhosts:/etc/apache2/sites-enabled
- ./ms-example/:/var/www/html/example
restart: always
labels:
- traefik.docker.network=app
- traefik.enable=true
- traefik.http.routers.ms-security.rule=Host(`${HOSTNAME}`) && PathPrefix(`/v1.0/ms-example`)
- traefik.http.routers.ms-example.entrypoints=websecure
- traefik.http.routers.ms-example.tls=true
- traefik.http.routers.ms-example.tls.certresolver=default
- traefik.http.routers.ms-example.tls.domains[0].main=${HOSTNAME}
- traefik.http.routers.ms-example.tls.domains[0].sans=*.${HOSTNAME}
networks:
- app
给予 IAM 用户的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:ListHostedZones"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"iam:UploadServerCertificate"
],
"Resource": [
"*"
]
}
]
}
我在浏览器和邮递员上遇到这样的错误:
NET::ERR_CERT_AUTHORITY_INVALID
Subject: TRAEFIK DEFAULT CERT
Issuer: TRAEFIK DEFAULT CERT
Expires on: 20 août 2022
Current date: 20 août 2021
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MYCERTIFICATE
-----END CERTIFICATE-----
如何使证书有效?我哪里错了?
如果您想了解更多信息,请不要犹豫,尤其是如果有人对我有丝毫想法,我就是接受者。
编辑
这是我在 Traefik 日志中发现的错误:
time="2021-08-23T13:20:22Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.fr,*.mydomain.fr\" : unable to generate a certificate for the domains [mydomain.fr *.mydomain.fr]: error: one or more domains had a problem:\n[*.mydomain.fr] [*.mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: c702090f-fdcc-4364-a207-a82d58446324\n[mydomain.fr] [mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: eb5efd0e-10cd-4369-846c-e0dfe31109de\n" providerName=default.acme
mydomain 是我的域名。 据我了解,这是因为主机 ID 阻止了它,但尽管进行了大量研究,但我并不真正了解这个派对。
【问题讨论】:
-
配置看起来不错:您在 Traefik 容器日志中看到什么了吗?一般情况下,还是在尝试连接服务时?
-
@SYN - 很抱歉花了很长时间才回答我被时间带走了。感谢您的帮助和回复。我输入的 EDIT 日志错误比我发现的要多。
-
use2-az1来自哪里?那是可用区吗?看起来不像一个有效的名称,可能是在您的 docker-compose 中传递的环境变量无效吗?否则,NoSuchHostedZone会建议您没有与“mydomain.fr”匹配的 Route53 区域。 -
@SYN - 好的,谢谢,我只是使用了错误的提供商......我刚刚意识到这个域名是在 GoogleDomains 上购买的,我想我将不得不使用 GoogleCloudDomain 提供商来应对 Traefik 提供的挑战 DNS ?
-
@SYN - 非常感谢你,所以我经历了 http 挑战,效果很好!再次感谢
标签: amazon-web-services traefik lets-encrypt