docker - Traefik 无法使用 Route 53 获取 Acme 证书
问题描述
我在使用 AWS Route 53 配置 Traefik 和 ACME 证书时遇到了一点麻烦。我尝试了 http 和 dns 挑战,但均无济于事。它不断收到此错误:acme:错误呈现令牌:route53:无法确定托管区域 ID:NoCredentialProviders:链中没有有效的提供者
我在这里做错了什么?提前致谢。
httpChallenge 错误(注意没有打开防火墙):
app_1 | time="2019-02-20T21:49:52Z" level=debug msg="Using HTTP Challenge provider."
app_1 | time="2019-02-20T21:50:04Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.net\" detected thanks to rule \"Host:monitor.example.net\" : unable to generate a certificate for the domains [monitor.example.net]: acme: Error -> One or more domains had a problem:\n[monitor.example.net] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://monitor.example.net/.well-known/acme-challenge/AwJq4WU0OKN943nyHW6e3jzirdsWw6QAeE-CXD7QRhQ: Timeout during connect (likely firewall problem), url: \n"
dns挑战错误:
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Try to challenge certificate for domain [monitor.example.net] founded in Host rule"
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Looking for provided certificate(s) to validate [\"monitor.example.net\"]..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Domains [\"monitor.example.net\"] need ACME certificates generation for domains \"monitor.example.net\"."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Loading ACME certificates [monitor.example.net]..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Building ACME client..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Using DNS Challenge provider: route53"
app_1 | time="2019-02-20T21:18:27Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.net\" detected thanks to rule \"Host:monitor.example.net\" : unable to generate a certificate for the domains [monitor.example.net]: acme: Error -> One or more domains had a problem:\n[monitor.example.net] [monitor.example.net] acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors\n"
附上 docker-compose.yml
version: '3'
services:
app:
image: traefik:alpine
restart: always
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
labels:
- traefik.frontend.rule=Host:monitor.example.net
- traefik.port=8080
networks:
- web
networks:
web:
external: true
附上traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.dashboard]
address = ":8080"
[entryPoints.dashboard.auth]
[entryPoints.dashboard.auth.basic]
users = ["admin:foobar"]
[entryPoints.http]
address = ":80"
# [entryPoints.http.redirect]
# entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[api]
entrypoint="dashboard"
[acme]
email = "donotspam@me.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
# [acme.httpChallenge] #<--tried both httpChallenge and dnsChallenge
# entryPoint = "http"
[acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = 0
[docker]
domain = "example.net"
watch = true
network = "web"
解决方案
HTTP 质询要求端口 80 可在 Internet 上访问。
对于 DNS 质询,您需要定义凭据:
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, [AWS_REGION
], [AWS_HOSTED_ZONE_ID
] 或配置的用户/实例 IAM 配置文件。 https://docs.traefik.io/configuration/acme/#provider
推荐阅读
- python - Ansible uri JSON 解析问题
- excel - 通过 Excel VBA 单击 Internet Explorer 上的按钮
- javascript - 在 FolderIterator 和 FileIterator 上循环 - Google Apps 脚本
- python - 如何读取 H5py 文件中的字符串列表?
- css - 无法在引导程序 scss 中跟踪规则
- javascript - Vuebootstrap b-alert 未显示来自 axios 调用响应变量的动态消息
- python-3.x - Groupby pandas数据框并根据条件保留所有行
- python - Pandas:创建新列并根据条件填充上一行的值
- c++ - Qt QGL 包括未找到
- azure-ad-b2c - 通过 Azure Ad b2c 和身份验证器应用使用 2 因素身份验证