Traefik acme超时

问题描述 投票:1回答:1

我正在尝试使Traefik在AKS中正常工作。总体来说,它工作正常,但是我无法获得ACME证书。下面附上我的traefik.toml配置,在上面我找不到任何奇怪的东西。

在本用例中,提到的3个域实际上是虚拟的,并且也会回复

# traefik.toml
logLevel = "info"
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  compress = true
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"
  [entryPoints.traefik]
  address = ":8080"
[ping]
entryPoint = "http"
[kubernetes]
[traefikLog]
  format = "json"
[acme]
KeyType = "RSA4096"
email = "[email protected]"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
  [acme.httpChallenge]
  entryPoint = "http"
[[acme.domains]]
   main = "traefik.domain.com"
[[acme.domains]]
   main = "elasticsearch.domain.com"
[[acme.domains]]
   main = "kibana.domain.com"
[api]
  entryPoint = "traefik"
  dashboard = true

我收到的实际错误是这样:

{"level":"error","msg":"Unable to obtain ACME certificate for domains \"traefik.hardstyletop40.com\" : unable to generate a certificate for the domains [traefik.domain.com]: acme: Error -\u003e One or more domains had a problem:\n[traefik.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://traefik.hardstyletop40.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data, url: \n","time":"2019-09-11T14:47:13Z"}

[有关挑战的详细信息:

"challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/293838266/LPH2sA",
      "token": "mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
      "validationRecord": [
        {
          "url": "http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
          "hostname": "traefik.hardstyletop40.com",
          "port": "80",
          "addressesResolved": [
            "13.79.159.165"
          ],
          "addressUsed": "13.79.159.165"
        }
      ]
    },

提前感谢

lets-encrypt traefik
1个回答
0
投票

Letencrypt的工作原理是将文件放在指定的Web服务器上的.well-known目录中。您是说他们是假人,所以您可能在本地做他们?无论如何,如果在Web服务器上找不到自动生成的文件,则无法验证是否从“拥有”域中请求了证书。

该流程如何大大简化:

  1. letencrypt->生成文件名:abc133 ......
  2. letencrypt->在网络服务器配置中找到所提供域的网络根目录
  3. letsencrypt->将文件复制到给定域的webroot中的.well-known
  4. letencrypt->将带有文件名和域名的Web请求发送到letsencrypt.org
  5. letsencrypt.org->尝试从给定的域中请求通过dns查找的文件
  6. letsencrypt.org->成功请求文件并验证,输出证书
  7. letencrypt->读取证书并复制到证书文件夹,进行一些符号链接
  8. 需要加密->修改Web服务器配置

现在,如果您正在使用虚拟域而不是在实时服务器上,则上述过程将在步骤3上失败,这将导致步骤5失败,这将导致您得到错误。

另一种方法是,如果无法在Web服务器上运行命令以生成证书,则设置DNS记录密钥以进行验证。

sudo certbot -d your.dummy.com --manual --preferred-challenges dns certonly

这将为您提供一个代码,您需要将其放入域服务器上的txt记录中

example of verification code

完成后,您可以在Letsencrypt应用程序中确认已设置记录并继续。

简而言之,如果您无法在Web服务器上运行该命令来生成证书,或者无法修改dns记录,则无法通过letencrypt获得证书。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.