docker-compose - Problem getting certificate from let's encrypt using Traefik with docker
问题描述
I've set up Traefik with Docker and a service behind it. The basic setup works. I can browse to port 80 using the domain name I'm redirected to https and then see "invalid certificate" - since the let's encrypt part is broken.
[ router ] <-:80/:443-> [linux/docker [Traefik:80/:443][Service:8080]]
Here is the entry in the log (edited domain.)
Logs:
acme: Error -> One or more domains had a problem:\n[xyz.example.net] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://xyz.example.net/.well-known/acme-challenge/eIAFZqaGMHMWaBjINjzk4m8PuWiYfuCHCTnSU9M: Error getting validation data, url: \n"
The error message is accurate, I can not browse to that URL. I have noticed that I can go to that URL using the internal IP http://10.0.0.21/.well-known/acme-challenge/key and Traefik responds with this in the log:
traefik | time="2019-05-28T21:20:52Z" level=error msg="Error getting challenge for token retrying in 542.914495ms"
I suspect the problem is the domain name redirect setup. My service is at xyz.example.net (and so is Traefik.) I suspect the problem is that Traefik is redirecting all traffic coming in on xyz.example.net:80/:443 to the service, and not handling the ./well-known/acme-challenge itself. Do I need to give the gateway itself a name? (E.g. zzz.example.net is Traefik and xyz.example.net is the service?)
How can I fix this?
My TOML file:
debug = false
logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.net"
watch = true
exposedbydefault = false
[acme]
email = "me@example.net"
storage = "acme.json"
entryPoint = "https"
onDemand = false
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
解决方案
我注意到虽然内部 IP 192.xxx 有效 - 外部 IP 没有。当然,我会说,这似乎是一个防火墙问题 - 但是 - 对于我正在测试的服务,防火墙允许通过流量,所以我很困惑。
解决方案?端口 80 没有在防火墙上转发,443 是。因此,当我尝试使用 curl/browser 进行测试时,我正在输入https://xyz.example.com - 这是有效的。
推荐阅读
- knex.js - knex 如何在特定时间戳范围内选择行
- azure-devops - 如何根据 Azure 中提交的文件夹路径在 Yaml 中设置作业级别条件
- blockchain - 声明错误:未找到标识符或标识符不唯一。函数检索()公共视图返回(unit256){^-----^
- pine-script - 在日内图表上绘制日线图,更高的时间范围
- iframe - Authorize.net 的 Accept Hosted iframe 中没有 action=transactResponse
- android - 将函数从 preferenceFragment 移动到第二个片段
- php - Carbon\Exceptions\InvalidFormatException 发现意外数据。发现意外数据。尾随数据,laravel 日期格式验证错误
- javascript - TinyMCE 按钮切换包装器 HTML
- php - Jquery 未检测到 Jquery Repeater 添加的新元素
- python-3.x - 为什么我的数字反向器功能会产生无限循环