时间戳

首页 > 解决方案 > traefik ssl certificate generation for cname record "tls: bad certificate"

ssl - traefik ssl certificate generation for cname record "tls: bad certificate"

问题描述

Does a reverse proxy need extra configuration to generate ssl certificates, if I have a subdomain cnamed to a different server?

mydomain.com, A record to server #1 at 111.111.111.111
subdomain.mydomain.com, CNAME record to otherdomain.dynv6.net
otherdomain.dynv6.net, A record to server #2 at 222.222.222.222

As I don't know the answer to the question above, the reason for ssl certificate failing might be either that cname related stuff, or letsencrypt rate limiting (don't know how to check that unfortunately) or some misconfiguration.

I am using traefik v2 as my reverse proxy running on server #2 and this is my error:

time="..." level=debug msg="Adding route for SUBDOMAIN.MYDOMAIN.COM with TLS options default" entryPointName=websecure
time="..." level=debug msg="Try to challenge certificate for domain [SUBDOMAIN.MYDOMAIN.COM] found in HostSNI rule" rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)" providerName=myresolverletsencrypt.acme routerName=whoami@docker
time="..." level=debug msg="Looking for provided certificate(s) to validate [\"SUBDOMAIN.MYDOMAIN.COM\"]..." providerName=myresolverletsencrypt.acme routerName=whoami@docker rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)"
time="..." level=debug msg="Domains [\"SUBDOMAIN.MYDOMAIN.COM\"] need ACME certificates generation for domains \"SUBDOMAIN.MYDOMAIN.COM\"." providerName=myresolverletsencrypt.acme routerName=whoami@docker rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)"
time="..." level=debug msg="Loading ACME certificates [SUBDOMAIN.MYDOMAIN.COM]..." providerName=myresolverletsencrypt.acme routerName=whoami@docker rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)"
time="..." level=debug msg="Building ACME client..." providerName=myresolverletsencrypt.acme
time="..." level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=myresolverletsencrypt.acme
time="..." level=error msg="Unable to obtain ACME certificate for domains \"SUBDOMAIN.MYDOMAIN.COM\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:34539->127.0.0.11:53: i/o timeout" providerName=myresolverletsencrypt.acme routerName=whoami@docker rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)"
time="..." level=debug msg="Serving default certificate for request: \"SUBDOMAIN.MYDOMAIN.COM\""
time="..." level=debug msg="http: TLS handshake error from 172.22.0.1:38464: remote error: tls: bad certificate"

My services are run with docker. Here is the traefik and whoami subdomain configuration of my docker-compose file.

version: "3.7"
services:
  traefik:
    image: "traefik:v2.4.7"
    command:
      - "--log.level=DEBUG"
      - "--api=true"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls.certResolver=myresolverletsencrypt"
      - "--log=true"
      - "--log.filePath=/logs/traefik.log"
      - "--accesslog=true"
      - "--accesslog.filePath=/logs/access.log"
      - "--certificatesresolvers.myresolverletsencrypt.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolverletsencrypt.acme.email=me@mail.com"
      - "--certificatesresolvers.myresolverletsencrypt.acme.storage=/acme.json"
    labels:
      - "traefik.enable=true"
    expose:
      - 8080
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
  whoami:
    image: "containous/whoami:latest"
    container_name: "whoami"
    restart: unless-stopped
    expose:
      - 80
    ports:
      - "8081:80"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`SUBDOMAIN.MYDOMAIN.COM`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolverletsencrypt"

标签: ssldocker-composetraefik

解决方案

推荐阅读