Traefik ACME DNS 挑战不适用于 docker
Traefik ACME DNS challenge not working with docker
我正在尝试将 Traefik 配置为 DigitalOcean 服务器上 docker 个容器 运行 的代理。
这是我的 Traefik 容器配置:
version: '2'
services:
traefik:
image: traefik
restart: always
command: --docker
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/traefik.toml
- $PWD/acme.json:/acme.json
container_name: traefik
environment:
DO_AUTH_TOKEN: abcd
labels:
- traefik.frontend.rule=Host:monitor.example.com
- traefik.port=8080
networks:
proxy:
external: true
和traefik.toml,
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:secretpassword"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "lakshmi@example.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
当我尝试访问 https://monitor.example.com 时,出现此错误:
traefik | time="2018-05-29T15:35:32Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.com\" detected thanks to rule \"Host:monitor.example.com\" : cannot obtain certificates: acme: Error -> One or more domains had a problem:\n[monitor.example.com] Error presenting token: HTTP 403: forbidden: You do not have access for the attempted action.\n"
我已经提供了一个有效的 DO 令牌并将 monitor.example.com 指向虚拟机 运行 Traefik。我是否遗漏了任何步骤?
我得到了 403,因为 Traefik 试图使用 read-only 令牌在我的 DigitalOcean 域中为 ACME DNS 挑战编写 TXT 条目。我将其更改为 read-write 令牌并且工作正常。
对于遇到此问题的任何其他人,请确保 acme.json 拥有 600 权限。不要自己创建或触摸 acme.json。让 Traefik 创建它。创建 pod 后,检查 acme.json 上的权限。
我发现的问题是 Traefik 创建 acme.json 并将其设置为 600。 运行 升级后, acme.json 更改为 660 并开始给出 'unknown resolver letsencrypt' 错误。修复是必须取消注释 Traefik Helm 图表中 values.yml 中的 'initContainers' 行。基本上它在启动前将权限设置为 600。 Hacky 但有效。
deployment:
enabled: true
# Can be either Deployment or DaemonSet
kind: Deployment
replicas: 1
annotations: {}
labels: {}
podAnnotations: {}
podLabels: {}
additionalContainers: []
volumeMounts:
- name: csi-pvc
initContainers:
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /data/*"]
volumeMounts:
- name: csi-pvc
mountPath: /data
dnsPolicy: ClusterFirstWithHostNet
imagePullSecrets: []
我正在尝试将 Traefik 配置为 DigitalOcean 服务器上 docker 个容器 运行 的代理。
这是我的 Traefik 容器配置:
version: '2'
services:
traefik:
image: traefik
restart: always
command: --docker
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/traefik.toml
- $PWD/acme.json:/acme.json
container_name: traefik
environment:
DO_AUTH_TOKEN: abcd
labels:
- traefik.frontend.rule=Host:monitor.example.com
- traefik.port=8080
networks:
proxy:
external: true
和traefik.toml,
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:secretpassword"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "lakshmi@example.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
当我尝试访问 https://monitor.example.com 时,出现此错误:
traefik | time="2018-05-29T15:35:32Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.com\" detected thanks to rule \"Host:monitor.example.com\" : cannot obtain certificates: acme: Error -> One or more domains had a problem:\n[monitor.example.com] Error presenting token: HTTP 403: forbidden: You do not have access for the attempted action.\n"
我已经提供了一个有效的 DO 令牌并将 monitor.example.com 指向虚拟机 运行 Traefik。我是否遗漏了任何步骤?
我得到了 403,因为 Traefik 试图使用 read-only 令牌在我的 DigitalOcean 域中为 ACME DNS 挑战编写 TXT 条目。我将其更改为 read-write 令牌并且工作正常。
对于遇到此问题的任何其他人,请确保 acme.json 拥有 600 权限。不要自己创建或触摸 acme.json。让 Traefik 创建它。创建 pod 后,检查 acme.json 上的权限。 我发现的问题是 Traefik 创建 acme.json 并将其设置为 600。 运行 升级后, acme.json 更改为 660 并开始给出 'unknown resolver letsencrypt' 错误。修复是必须取消注释 Traefik Helm 图表中 values.yml 中的 'initContainers' 行。基本上它在启动前将权限设置为 600。 Hacky 但有效。
deployment:
enabled: true
# Can be either Deployment or DaemonSet
kind: Deployment
replicas: 1
annotations: {}
labels: {}
podAnnotations: {}
podLabels: {}
additionalContainers: []
volumeMounts:
- name: csi-pvc
initContainers:
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /data/*"]
volumeMounts:
- name: csi-pvc
mountPath: /data
dnsPolicy: ClusterFirstWithHostNet
imagePullSecrets: []