ssl - traefik ssl certificate generation for cname record "tls: bad certificate"
问题描述
Does a reverse proxy need extra configuration to generate ssl certificates, if I have a subdomain cnamed to a different server?
mydomain.com, A record to server #1 at 111.111.111.111
subdomain.mydomain.com, CNAME record to otherdomain.dynv6.net
otherdomain.dynv6.net, A record to server #2 at 222.222.222.222
As I don't know the answer to the question above, the reason for ssl certificate failing might be either that cname related stuff, or letsencrypt rate limiting (don't know how to check that unfortunately) or some misconfiguration.
I am using traefik v2 as my reverse proxy running on server #2 and this is my error:
time="..." level=debug msg="Adding route for SUBDOMAIN.MYDOMAIN.COM with TLS options default" entryPointName=websecure
time="..." level=debug msg="Try to challenge certificate for domain [SUBDOMAIN.MYDOMAIN.COM] found in HostSNI rule" rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)" providerName=myresolverletsencrypt.acme routerName=whoami@docker
time="..." level=debug msg="Looking for provided certificate(s) to validate [\"SUBDOMAIN.MYDOMAIN.COM\"]..." providerName=myresolverletsencrypt.acme routerName=whoami@docker rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)"
time="..." level=debug msg="Domains [\"SUBDOMAIN.MYDOMAIN.COM\"] need ACME certificates generation for domains \"SUBDOMAIN.MYDOMAIN.COM\"." providerName=myresolverletsencrypt.acme routerName=whoami@docker rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)"
time="..." level=debug msg="Loading ACME certificates [SUBDOMAIN.MYDOMAIN.COM]..." providerName=myresolverletsencrypt.acme routerName=whoami@docker rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)"
time="..." level=debug msg="Building ACME client..." providerName=myresolverletsencrypt.acme
time="..." level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=myresolverletsencrypt.acme
time="..." level=error msg="Unable to obtain ACME certificate for domains \"SUBDOMAIN.MYDOMAIN.COM\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:34539->127.0.0.11:53: i/o timeout" providerName=myresolverletsencrypt.acme routerName=whoami@docker rule="Host(`SUBDOMAIN.MYDOMAIN.COM`)"
time="..." level=debug msg="Serving default certificate for request: \"SUBDOMAIN.MYDOMAIN.COM\""
time="..." level=debug msg="http: TLS handshake error from 172.22.0.1:38464: remote error: tls: bad certificate"
My services are run with docker. Here is the traefik
and whoami
subdomain configuration of my docker-compose
file.
version: "3.7"
services:
traefik:
image: "traefik:v2.4.7"
command:
- "--log.level=DEBUG"
- "--api=true"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.http.tls.certResolver=myresolverletsencrypt"
- "--log=true"
- "--log.filePath=/logs/traefik.log"
- "--accesslog=true"
- "--accesslog.filePath=/logs/access.log"
- "--certificatesresolvers.myresolverletsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.myresolverletsencrypt.acme.email=me@mail.com"
- "--certificatesresolvers.myresolverletsencrypt.acme.storage=/acme.json"
labels:
- "traefik.enable=true"
expose:
- 8080
ports:
- "80:80"
- "443:443"
- "8080:8080"
whoami:
image: "containous/whoami:latest"
container_name: "whoami"
restart: unless-stopped
expose:
- 80
ports:
- "8081:80"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`SUBDOMAIN.MYDOMAIN.COM`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=myresolverletsencrypt"
解决方案
推荐阅读
- swift - 测试使用 XCTest 传递给多个分析跟踪器的分析事件
- python - 如何避免 Django NoReverseMatch 错误?
- android - MPAndroidChart - 将 MarkerView 移动到条形图边界之外(不切断)
- javascript - 调用函数(需要参数)作为参数
- npm - 安装 npm 的问题 - 错误消息
- mysql - MySQL内部连接元字段类型结构
- go - 查询参数 - 在 golang 中用空白替换 +
- flutter - 致命错误:未找到 Flutter 2.2.3 的“Flutter/Flutter.h”文件
- cygwin - 如何使用mingw32在windows中编译nats?
- android - Android Studio 显示每一行的错误