Traeffic,Docker 和 Let's Encrypt
Traeffic, Docker and Let's Encrypt
我的网站终于可以上线之前的最后阶段 --> SSL。
我正在使用 Jekyll 站点,Traefic 作为反向代理,Docker 以防止 "it works on my machine" 和 Let's Encrypt for SSL。查看文档这应该是在公园里散步,但是(作为软件开发中的一切)它看起来比看起来更难。
我当前的 Traefic 配置:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
permanent = true
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "johanvergeer.com"
watch = true
exposedByDefault = true
usebindportip = true
swarmMode = true
[acme]
email = "johanvergeer@gmail.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[[acme.domains]]
main = "johanvergeer.com"
[acme.httpChallenge]
entryPoint = "http"
provider = "digitalocean"
和 docker-compose 文件
version: "3.6"
services:
site:
ports:
- 4000:4000
image: registry.gitlab.com/johanvergeer/redgyro/site:latest
deploy:
labels:
- traefik.site.port=4000
- traefik.enable=true
- traefik.frontend.rule=Host:johanvergeer.com
- traefik.frontend.entryPoints=http,https
- traefik.docker.network=traefik-net
- traefik.backend.loadbalancer.method=drr
networks:
- traefik-net
reverse-proxy:
image: traefik # The official Traefik docker image
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- $PWD/traefik.toml:/etc/traefik/traefik.toml
- $PWD/acme.json:/etc/traefik/acme.json
deploy:
labels:
- traefik.site.port=80
- traefik.logLevel=DEBUG
- traefik.docker.network=traefik-net
- traefik.backend.loadbalancer.method=drr
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
networks:
- traefik-net
networks:
traefik-net:
name: traefik-net
此时我什至没有在 Traefic 日志中收到任何内容,而它被设置为 DEBUG。
浏览器显示错误 Your connection is not private 和 NET::ERR_CERT_AUTHORITY_INVALID。
有人知道怎么解决吗?
httpChallenge 不接受 provider 参数。您可以尝试删除它。
如果这不起作用,并且您在 DigitalOcean 上 运行,请尝试 dnsChallenge instead of an httpChallenge。为此修改您的traefik.toml:
[acme.httpChallenge]
entryPoint = "http"
provider = "digitalocean"
为此:
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
并传入 DO_AUTH_TOKEN 环境变量,因为 specified here. If you anticipate adding subdomains later DNS challenge with wildcard domains 是可行的方法。
同时考虑从您的配置中删除 caServer,这样您就可以默认进入生产状态,以防您点击 Let's Encrypto Rate Limit 进行暂存。
如果还没有,您也可以尝试在 Let's Encrypt Community Support 论坛上寻求帮助。
我的网站终于可以上线之前的最后阶段 --> SSL。
我正在使用 Jekyll 站点,Traefic 作为反向代理,Docker 以防止 "it works on my machine" 和 Let's Encrypt for SSL。查看文档这应该是在公园里散步,但是(作为软件开发中的一切)它看起来比看起来更难。
我当前的 Traefic 配置:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
permanent = true
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "johanvergeer.com"
watch = true
exposedByDefault = true
usebindportip = true
swarmMode = true
[acme]
email = "johanvergeer@gmail.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[[acme.domains]]
main = "johanvergeer.com"
[acme.httpChallenge]
entryPoint = "http"
provider = "digitalocean"
和 docker-compose 文件
version: "3.6"
services:
site:
ports:
- 4000:4000
image: registry.gitlab.com/johanvergeer/redgyro/site:latest
deploy:
labels:
- traefik.site.port=4000
- traefik.enable=true
- traefik.frontend.rule=Host:johanvergeer.com
- traefik.frontend.entryPoints=http,https
- traefik.docker.network=traefik-net
- traefik.backend.loadbalancer.method=drr
networks:
- traefik-net
reverse-proxy:
image: traefik # The official Traefik docker image
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- $PWD/traefik.toml:/etc/traefik/traefik.toml
- $PWD/acme.json:/etc/traefik/acme.json
deploy:
labels:
- traefik.site.port=80
- traefik.logLevel=DEBUG
- traefik.docker.network=traefik-net
- traefik.backend.loadbalancer.method=drr
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
networks:
- traefik-net
networks:
traefik-net:
name: traefik-net
此时我什至没有在 Traefic 日志中收到任何内容,而它被设置为 DEBUG。
浏览器显示错误 Your connection is not private 和 NET::ERR_CERT_AUTHORITY_INVALID。
有人知道怎么解决吗?
httpChallenge 不接受 provider 参数。您可以尝试删除它。
如果这不起作用,并且您在 DigitalOcean 上 运行,请尝试 dnsChallenge instead of an httpChallenge。为此修改您的traefik.toml:
[acme.httpChallenge]
entryPoint = "http"
provider = "digitalocean"
为此:
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
并传入 DO_AUTH_TOKEN 环境变量,因为 specified here. If you anticipate adding subdomains later DNS challenge with wildcard domains 是可行的方法。
同时考虑从您的配置中删除 caServer,这样您就可以默认进入生产状态,以防您点击 Let's Encrypto Rate Limit 进行暂存。
如果还没有,您也可以尝试在 Let's Encrypt Community Support 论坛上寻求帮助。