时间戳

首页 > 解决方案 > 让我们加密、traefik 和 TLS

docker - 让我们加密、traefik 和 TLS

问题描述

我正在使用 docker 和 traefik 设置一个 gitea 实例。我希望它通过让我们加密证书得到保护。

我的 docker-compose.yml 如下所示(我希望有足够的评论):

version: '3'
services:
  reverse-proxy:
      # The official v2.0 Traefik docker image
     image: traefik:v2.0
     command:
       # Only for development environment
       - "--log.level=DEBUG"
       - "--log.filePath=/var/log/traefik.log"
       - "--api.insecure=true"
       # Get Docker as the provider
       - "--providers.docker=true"
       # Set the ports for the entry points
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
       # Set letsencrypt as the certificate provider
       - "--certificatesresolvers.le.acme.email=myemail@lutix.org"
       - "--certificatesresolvers.le.acme.storage=/acme.json"
       - "--certificatesresolvers.le.acme.tlschallenge=true"
       # let's encrypt staging server
       - "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
     ports:
     # The HTTP port
       - "80:80"
     # The Web UI (enabled by --api.insecure=true)
       - "8080:8080"
       - "443:443"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock" # So that Traefik can listen to the Docker events
       - "./volumes/traefik/acme.json:/acme.json"
       - "./volumes/traefik/traefik.log:/var/log/traefik.log"

    gitea:
      image: gitea/gitea
      depends_on:
        - "mysql"
        - "reverse-proxy"
        - "phpmyadmin"
      ports:
        - "10022:22"
      volumes:
        - "./volumes/gitea:/data"
      labels:
        # WARNING: 2 routers by protocol http and https
        - traefik.http.routers.gitea-router-http.rule=Host(`gitea.lutix.org`)
        - traefik.http.middlewares.https-redirection.redirectscheme.scheme=https
        - traefik.http.routers.gitea-router-http.middlewares=https-redirection
        - traefik.http.routers.gitea-router-https.rule=Host(`gitea.lutix.org`)
        - traefik.http.routers.gitea-router-https.tls=true
        - traefik.http.routers.gitea-router-https.entrypoints=websecure
        - traefik.http.routers.gitea-router-https.tls.certresolver=le
        - traefik.http.services.gitea-service.loadbalancer.server.port=3000

我认为我的设置是正确的,因为我从很多资源/论坛/stackoverflow 线程中启发了自己。但是 traefik 日志文件中仍然有一条消息我无法解决:

time="2020-02-03T05:26:29Z" level=debug msg="Domains
[\"gitea.lutix.org\"] need ACME certificates generation for domains \"gitea.lutix.org\"." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Loading ACME certificates [gitea.lutix.org]..." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Building ACME client..." providerName=le.acme
time="2020-02-03T05:26:29Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="Using TLS Challenge provider." providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Obtaining bundled SAN certificate"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: use tls-alpn-01 solver"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Trying to solve TLS-ALPN-01"
time="2020-02-03T05:26:33Z" level=debug msg="TLS Challenge Present temp certificate for gitea.lutix.org" providerName=acme

到目前为止,一切都很好

time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54496: remote error: tls: bad certificate"
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54500: remote error: tls: bad certificate"

混乱开始!

time="2020-02-03T05:26:44Z" level=debug msg="TLS Challenge CleanUp temp certificate for gitea.lutix.org" providerName=acme
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870" time="2020-02-03T05:26:45Z" level=error msg="Unable to obtain ACME certificate for domains \"gitea.lutix.org\": unable to generate a certificate for the domains [gitea.lutix.org]: acme: Error -> One or more domains had a problem:\n[gitea.lutix.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested gitea.lutix.org from 51.178.81.120:443. Received 1 certificate(s), first certificate had names \"76d2ebffd72f6bb3d856428cc95f40dd.e9be2fb72c5ca69e4dcd01423ff5db73.traefik.default, traefik default cert\", url: \n" providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:27:08Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:08Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54504: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54512: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54516: remote error: tls: bad certificate"

我遇到此 TLS 握手错误的原因可能是什么?关于防火墙,为了测试,所有规则都已停用。我能做些什么来获得更多关于 TLS 握手失败的信息?我应该切换到另一个挑战,如 http 或 dns 吗?

标签: dockerlets-encrypttraefikacme

解决方案

推荐阅读