Traefik SSL 配置
Traefik SSL configuration
所以,我正在尝试将我的 docker swarm 与 traefik 部署到一个数字海洋水滴集群中。我使用 traefik 作为我的反向代理和负载平衡器,所以我必须使用 traefik 获得 SSL 证书。该文档看起来很简单,所以我真的不明白我的配置出了什么问题。我希望你们能阐明我做错了什么。我正在使用通配符域将我的大部分服务 运行 作为我的根 domain.So 的子域这是我的 toml:
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint="unix:///var/run/docker.sock"
exposedByDefault=true
watch=true
swarmmode=true
domain="mouv.com"
[acme]
email = "leonardo@mouv.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
# caServer = "https://acme-v02.api.letsencrypt.org/directory"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.mouv.com"
sans = ["mouv.com"]
这是我的 docker-stack.yml
version: '3.6'
services:
traefik:
image: traefik:latest
networks:
- mouv-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
ports:
- "80:80"
- "443:443"
- "8080:8080"
command: --api
environment:
DO_AUTH_TOKEN: "xxxxxxxxxxxxxxxx"
deploy:
placement:
constraints: [node.role==manager]
user:
image: hollarves/users-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8500"
- "traefik.backend=user"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:user.mouv.com"
balances:
image: hollarves/balances-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8010"
- "traefik.backend=balance"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:balance.mouv.com"
# this container is not part of traefik's network.
firebase:
image: hollarves/firebase-mouv:latest
networks:
- firebase-net
[ ..... more containers ..... ]
networks:
mouv-net:
driver: overlay
[ .... more networks .... ]
我也在日志中看到这个错误
mueve-stack_traefik.1.ndgfhj96lymx@node-1 | time="2019-02-19T13:15:46Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:50668: remote error: tls: unknown certificate authority"
还有这个:
mueve-stack_traefik.1.igy1ilch6wl1@node-1 | time="2019-02-19T13:22:00Z" level=info msg="legolog: [WARN] [mueve.com] acme: error cleaning up: digitalocean: unknown record ID for '_acme-challenge.mueve.com.' "
当我尝试导航到我的其中一项子域服务时,我得到了
subdomain.mouv.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for 9a11926d7857657613b65578dfebc69f.8066eec25224a58acabd968e285babdf.traefik.default.
在我的数字海洋域配置中,我几乎只是添加一个指向我的管理器节点 IP 的 A 记录和一个 CNAME 记录为 *.mouv.com
Let's Encrypt 暂存 (caServer = "https://acme-staging-v02.api.letsencrypt.org/directory") 提供的证书不是有效证书,这是正常的。
https://letsencrypt.org/docs/staging-environment/
The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.
要获得有效证书,您必须使用 Let's Encrypt 生产端点 (caServer = "https://acme-v02.api.letsencrypt.org/directory")
所以,我正在尝试将我的 docker swarm 与 traefik 部署到一个数字海洋水滴集群中。我使用 traefik 作为我的反向代理和负载平衡器,所以我必须使用 traefik 获得 SSL 证书。该文档看起来很简单,所以我真的不明白我的配置出了什么问题。我希望你们能阐明我做错了什么。我正在使用通配符域将我的大部分服务 运行 作为我的根 domain.So 的子域这是我的 toml:
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint="unix:///var/run/docker.sock"
exposedByDefault=true
watch=true
swarmmode=true
domain="mouv.com"
[acme]
email = "leonardo@mouv.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
# caServer = "https://acme-v02.api.letsencrypt.org/directory"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.mouv.com"
sans = ["mouv.com"]
这是我的 docker-stack.yml
version: '3.6'
services:
traefik:
image: traefik:latest
networks:
- mouv-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
ports:
- "80:80"
- "443:443"
- "8080:8080"
command: --api
environment:
DO_AUTH_TOKEN: "xxxxxxxxxxxxxxxx"
deploy:
placement:
constraints: [node.role==manager]
user:
image: hollarves/users-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8500"
- "traefik.backend=user"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:user.mouv.com"
balances:
image: hollarves/balances-mouv:latest
networks:
- mouv-net
deploy:
labels:
- "traefik.port=8010"
- "traefik.backend=balance"
- "traefik.docker.network=mouv-stack_mouv-net"
- "traefik.enable=true"
- "traefik.protocol=http"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.rule=Host:balance.mouv.com"
# this container is not part of traefik's network.
firebase:
image: hollarves/firebase-mouv:latest
networks:
- firebase-net
[ ..... more containers ..... ]
networks:
mouv-net:
driver: overlay
[ .... more networks .... ]
我也在日志中看到这个错误
mueve-stack_traefik.1.ndgfhj96lymx@node-1 | time="2019-02-19T13:15:46Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:50668: remote error: tls: unknown certificate authority"
还有这个:
mueve-stack_traefik.1.igy1ilch6wl1@node-1 | time="2019-02-19T13:22:00Z" level=info msg="legolog: [WARN] [mueve.com] acme: error cleaning up: digitalocean: unknown record ID for '_acme-challenge.mueve.com.' "
当我尝试导航到我的其中一项子域服务时,我得到了
subdomain.mouv.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for 9a11926d7857657613b65578dfebc69f.8066eec25224a58acabd968e285babdf.traefik.default.
在我的数字海洋域配置中,我几乎只是添加一个指向我的管理器节点 IP 的 A 记录和一个 CNAME 记录为 *.mouv.com
Let's Encrypt 暂存 (caServer = "https://acme-staging-v02.api.letsencrypt.org/directory") 提供的证书不是有效证书,这是正常的。
https://letsencrypt.org/docs/staging-environment/
The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.
要获得有效证书,您必须使用 Let's Encrypt 生产端点 (caServer = "https://acme-v02.api.letsencrypt.org/directory")