Traefik V2.2.1 - 除了 Traefik 服务 returns [NET :: ERR_CERT_AUTHORITY_INVALID] 和使用 [TRAEFIK DEFAULT CERT] 之外的所有服务
Traefik V2.2.1 - All services except Traefik service returns [NET :: ERR_CERT_AUTHORITY_INVALID] and uses [TRAEFIK DEFAULT CERT]
我决定将traefik的版本从1.7.x升级到2.2.1。
所以我遵循了上面解决方案的指导方针(https://gist.github.com/fatihyildizhan/8f124039a9bd3801f0caf3c01c3601fb),这样 2.2.1 版本的 traefik 就可以工作了。
Traefik v2.2.1 有效并正确地将 http 端口重定向到 https。
但是whoami服务从http端口重定向到https却显示如下信息:
WHOAMI return
NET :: ERR_CERT_AUTHORITY_INVALID
TRAEFIK DEFAULT CERT
############################################
Problem
############################################
Returns - Whoami Address / Service
C: \ Windows \ system32> curl http://whoami.ehpop.com.br/
Moved Permanently
C: \ Windows \ system32> curl https://whoami.ehpop.com.br/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you would like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
C: \ Windows \ system32> curl https://whoami.ehpop.com.br/ -k
Hostname: 420fd35c2aff
IP: 127.0.0.1
IP: 172.23.0.2
RemoteAddr: 172.23.0.5:48334
GET / HTTP / 1.1
Host: whoami.ehpop.com.br
User-Agent: curl / 7.39.0
Accept: * / *
Accept-Encoding: gzip
X-Forwarded-For: 177.223.109.184
X-Forwarded-Host: whoami.ehpop.com.br
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: ffb0f2160d14
X-Real-Ip: 177.223.109.184
############################################
OK
############################################
Returns for access to the traefik monitor
C: \ Windows \ system32> curl http://traefik.ehpop.com.br --user admin
Enter host password for user 'admin':
Moved Permanently
C: \ Windows \ system32> curl https://traefik.ehpop.com.br --user admin
Enter host password for user 'admin':
<a href="/dashboard/"> Found </a>.
############################################
Files and settings I'm using:
############################################
############################################
[Traefik v2.] - docker-compose.yml with httpChallenge
############################################
version: '3.7'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$password"
- "traefik.http.routers.traefik.rule=Host(`traefik.ehpop.com.br`)"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.ehpop.com.br`)"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.permanent=true"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
networks:
proxy:
external: true
############################################
[Traefik v2.] - traefik.yml with httpChallenge
############################################
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: naugustijr@gmail.com
storage: acme.json
httpChallenge:
entryPoint: http
############################################
[Traefik v2.] - whoami - docker-compose.yml
############################################
version: '3.7'
services:
whoami:
image: containous/whoami
container_name: whoami
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=http"
- "traefik.http.routers.whoami.rule=Host(`whoami.ehpop.com.br`, `www.whoami.ehpop.com.br`)"
- "traefik.http.middlewares.whoami-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.whoami-https-redirect.redirectscheme.permanent=true"
- "traefik.http.routers.whoami.middlewares=whoami-https-redirect"
- "traefik.http.routers.whoami-secure.entrypoints=https"
- "traefik.http.routers.whoami-secure.rule=Host(`whoami.ehpop.com.br`, `www.whoami.ehpop.com.br`)"
- "traefik.http.routers.whoami-secure.tls=true"
- "traefik.http.routers.whoami-secure.tls.certresolver=http"
- "traefik.http.routers.whoami-secure.service=whoami"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
我想知道如何解决这个问题。
我查看了traefik文档,没有发现错误。
我更改了这个部分
- "traefik.http.routers.whoami.rule=Host(`whoami.ehpop.com.br`, `www.whoami.ehpop.com.br`)"
- "traefik.http.routers.whoami-secure.rule=Host(`whoami.ehpop.com.br`, `www.whoami.ehpop.com.br`)"
这个
- "traefik.http.routers.whoami.rule=Host(`whoami.ehpop.com.br`)"
- "traefik.http.routers.whoami-secure.rule=Host(`whoami.ehpop.com.br`)"
成功了!
我决定将traefik的版本从1.7.x升级到2.2.1。 所以我遵循了上面解决方案的指导方针(https://gist.github.com/fatihyildizhan/8f124039a9bd3801f0caf3c01c3601fb),这样 2.2.1 版本的 traefik 就可以工作了。 Traefik v2.2.1 有效并正确地将 http 端口重定向到 https。 但是whoami服务从http端口重定向到https却显示如下信息:
WHOAMI return
NET :: ERR_CERT_AUTHORITY_INVALID
TRAEFIK DEFAULT CERT
############################################
Problem
############################################
Returns - Whoami Address / Service
C: \ Windows \ system32> curl http://whoami.ehpop.com.br/
Moved Permanently
C: \ Windows \ system32> curl https://whoami.ehpop.com.br/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you would like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
C: \ Windows \ system32> curl https://whoami.ehpop.com.br/ -k
Hostname: 420fd35c2aff
IP: 127.0.0.1
IP: 172.23.0.2
RemoteAddr: 172.23.0.5:48334
GET / HTTP / 1.1
Host: whoami.ehpop.com.br
User-Agent: curl / 7.39.0
Accept: * / *
Accept-Encoding: gzip
X-Forwarded-For: 177.223.109.184
X-Forwarded-Host: whoami.ehpop.com.br
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: ffb0f2160d14
X-Real-Ip: 177.223.109.184
############################################
OK
############################################
Returns for access to the traefik monitor
C: \ Windows \ system32> curl http://traefik.ehpop.com.br --user admin
Enter host password for user 'admin':
Moved Permanently
C: \ Windows \ system32> curl https://traefik.ehpop.com.br --user admin
Enter host password for user 'admin':
<a href="/dashboard/"> Found </a>.
############################################
Files and settings I'm using:
############################################
############################################
[Traefik v2.] - docker-compose.yml with httpChallenge
############################################
version: '3.7'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$password"
- "traefik.http.routers.traefik.rule=Host(`traefik.ehpop.com.br`)"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.ehpop.com.br`)"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.permanent=true"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
networks:
proxy:
external: true
############################################
[Traefik v2.] - traefik.yml with httpChallenge
############################################
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: naugustijr@gmail.com
storage: acme.json
httpChallenge:
entryPoint: http
############################################
[Traefik v2.] - whoami - docker-compose.yml
############################################
version: '3.7'
services:
whoami:
image: containous/whoami
container_name: whoami
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=http"
- "traefik.http.routers.whoami.rule=Host(`whoami.ehpop.com.br`, `www.whoami.ehpop.com.br`)"
- "traefik.http.middlewares.whoami-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.whoami-https-redirect.redirectscheme.permanent=true"
- "traefik.http.routers.whoami.middlewares=whoami-https-redirect"
- "traefik.http.routers.whoami-secure.entrypoints=https"
- "traefik.http.routers.whoami-secure.rule=Host(`whoami.ehpop.com.br`, `www.whoami.ehpop.com.br`)"
- "traefik.http.routers.whoami-secure.tls=true"
- "traefik.http.routers.whoami-secure.tls.certresolver=http"
- "traefik.http.routers.whoami-secure.service=whoami"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
我想知道如何解决这个问题。 我查看了traefik文档,没有发现错误。
我更改了这个部分
- "traefik.http.routers.whoami.rule=Host(`whoami.ehpop.com.br`, `www.whoami.ehpop.com.br`)"
- "traefik.http.routers.whoami-secure.rule=Host(`whoami.ehpop.com.br`, `www.whoami.ehpop.com.br`)"
这个
- "traefik.http.routers.whoami.rule=Host(`whoami.ehpop.com.br`)"
- "traefik.http.routers.whoami-secure.rule=Host(`whoami.ehpop.com.br`)"
成功了!