我使用 traefik 进行反向代理和 tls 证书管理。它工作了很长一段时间,但我最近注意到 traefik 无法从 LetsEncrypt 请求 TLS 证书。我不知道什么时候,因为直到现在我才注意到。该错误似乎出现在我的所有服务上,但这是一个例子
bitwarden:
image: vaultwarden/server
container_name: bitwarden
volumes:
- ./bwdata:/data
environment:
- WEBSOCKET_ENABLED=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.bitwarden-secure.middlewares=compress"
- "traefik.http.routers.bitwarden-secure.rule=Host(`bitwarden.example.com`)"
- "traefik.http.routers.bitwarden-secure.tls=true"
- "traefik.http.routers.bitwarden.tls.certresolver=myresolver"
networks:
- traefik_proxy
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "6"
输入网址时它可以正确路由,但在我的 traefik 日志中出现错误:
traefik_1 | time="2023-12-15T21:39:44Z" level=error msg="Unable to obtain ACME certificate for domains \"bitwarden-docker\": unable to generate a certificate for the domains [bitwarden-docker]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for \"bitwarden-docker\": Domain name needs at least one dot" rule="Host(`bitwarden-docker`)" providerName=myresolver.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=bitwarden@docker
由于我的证书尚未过期,我仍然有 tls,但是在创建新服务时,我收到了相同的错误,并且几乎所有以前有效的服务都出现了。
我没有改变我所记得的 traefik 服务。
traefik:
image: traefik
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web-secure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=MY_EMAIL"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--api.dashboard=true"
- "--api.insecure=true"
- "--entrypoints.ssh.address=:22" # gitea
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./letsencrypt:/letsencrypt"
- "./static:/var/www/html"
labels:
- "traefik.enable=true"
- "traefik.http.routers.reverse.entrypoints=web"
- "traefik.http.middlewares.auth.basicauth.users=ENCRYPTED_USER"
- "traefik.http.middlewares.compress.compress=true"
- 'traefik.http.routers.api.middlewares=authelia@docker'
- "traefik.http.middlewares.share_auth.basicauth.users=ANOTHER_ENCRYPTED_USER"
networks:
- traefik_proxy
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "6"
我尝试更改新服务上的网址,但出现相同的错误。
您其中一台路由器的名称错误:
labels:
- "traefik.enable=true"
- "traefik.http.routers.bitwarden-secure.middlewares=compress"
- "traefik.http.routers.bitwarden-secure.rule=Host(`bitwarden.example.com`)"
- "traefik.http.routers.bitwarden-secure.tls=true"
- "traefik.http.routers.bitwarden.tls.certresolver=myresolver"
将
traefik.http.routers.bitwarden.tls.certresolver=myresolver
更改为 traefik.http.routers.bitwarden-secure.tls.certresolver=myresolver