Traefik:使用默认证书时日志中的“无需为域生成 ACME 证书”
[英]Traefik: “No ACME certificate generation required for domains” in the logs while using the default cert
问题描述
I'm struggling with Let's Encrypt setup for my Docker Swarm.
我正在努力为我的 Docker Swarm 设置 Let's Encrypt。 Traefik is started this way in my stack's compose file: Traefik 在我的堆栈的撰写文件中以这种方式启动:
image: traefik:v2.2
ports:
- 80:80
- 443:443
- 8080:8080
command:
- --api
- --log.level=DEBUG
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=traefik-public
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesResolvers.certbot=true
- --certificatesResolvers.certbot.acme.httpChallenge=true
- --certificatesResolvers.certbot.acme.httpChallenge.entrypoint=http
- --certificatesResolvers.certbot.acme.email=${EMAIL?Variable EMAIL not set}
- --certificatesResolvers.certbot.acme.storage=/certs/acme-v2.json
- --certificatesResolvers.certbot.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
...networks, volumes...
deploy:
mode: replicated
replicas: 1 # to avoid concurrency issues
...
labels:
- "traefik.docker.network=traefik-public"
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.routers.traefik.rule=Host(`traefik.my-domain.com`)"
- "traefik.http.routers.traefik.entrypoints=http,https"
- "traefik.http.routers.traefik.tls.certresolver=certbot"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}"
And I cannot get more than我不能得到更多
level=debug msg="No ACME certificate generation required for domains [\"traefik.my-domain.com\"]." providerName=certbot.acme routerName=traefik@docker rule="Host(`traefik.my-domain.com`)"
I wonder why no ACME certificate is required while Firefox complains of getting the "TRAEFIK DEFAULT CERT" (Chromium also btw).我想知道为什么在 Firefox 抱怨获得“TRAEFIK DEFAULT CERT”(Chromium 也顺便说一句)时不需要 ACME 证书。
I also tried:我也试过:
- Without the staging server of let's encrypt没有让我们加密的登台服务器
- With a DNS challenge as I hope to make it work with wildcard *.my-domain.com for dev purpose (which works manually with certbot).使用 DNS 挑战,因为我希望使其与通配符 *.my-domain.com 一起用于开发目的(与 certbot 一起手动工作)。
- Setting a traefik.my-domain.com DNS zone (to remove the wildcard case from the problem)设置 traefik.my-domain.com DNS 区域(从问题中删除通配符大小写)
- Changed the mode "replicated" of the deploy with global as suggested here Traefik + Consul not generaitng SSL certificates in replicated mode, using TRAEFIK DEFAULT CERT 使用 TRAEFIK DEFAULT CERT 更改了此处建议的全局“复制”部署模式 Traefik + Consul not 在复制模式下生成 SSL 证书
- I'm presently looking for a way to handle certificates renewal with Certbot directly on my servers...我目前正在寻找一种直接在我的服务器上使用 Certbot 处理证书更新的方法......
2 个解决方案
解决方案1
2 2020-09-17 12:19:17
I've had same issue, and it helped me to change the volume where acme.json is stored.我遇到了同样的问题,它帮助我更改了存储 acme.json 的音量。 I think it's because Traefik sees that acme.json is not empty, he simply doesn't ask for new cert.我认为这是因为 Traefik 看到acme.json不为空,他根本不要求新证书。
So if you're using something like:所以如果你使用类似的东西:
command:
...
- --certificatesResolvers.certbot.acme.storage=/certs/acme-v2.json
volumes:
- "certs:/certs"
Try to use different volume:尝试使用不同的音量:
command:
...
- --certificatesResolvers.certbot.acme.storage=/letsencrypt/acme-v2.json
volumes:
- "letsencrypt:/letsencrypt"
解决方案2
0
For me it was the set default (custom) Cert , that was valid for the full domain, so traefik didn't request a specific acme/letsencrypt one, because it thaught it already has one.对我来说,这是设置的默认(自定义)证书,它对整个域都有效,所以 traefik 没有请求特定的 acme/letsencrypt 一个,因为它认为它已经有了一个。
After disabling the custom default cert it worked instantly.禁用自定义默认证书后,它立即生效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.