[英]Traefik https backend communication causes x509: certificate is valid for 127.0.0.1 not <Container IP>
[英]Traefik ssl containers - '500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.x.x.x
我正在使用traefik:v2.8.2和在端口 80 和 443 上运行 apache 的容器。Apache 将端口 80 请求重定向到端口 443。
下面是我的 traefik.yml 文件 -
# configure logs
log:
level: DEBUG # Set to 'DEBUG' for troubleshooting
# configure entry points
entryPoints:
web:
address: ":80"
http:
redirections: # http to https redirection
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
postgres:
address: ":5432"
# configure providers
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # connection to the docker daemon
exposedByDefault: false # ignore containers without label 'traefik.enable=true'
file:
directory: "/etc/traefik/conf" # directory for dynamic traefik configuration files
watch: true # changes are processed immediately
# configure api service
api:
dashboard: true # enable the traefik dashboard
下面是我的 tls 配置
tls:
certificates:
- certFile: "/etc/traefik/certs/knandan-cert.pem"
keyFile: "/etc/traefik/certs/knandan-key.pem"
下面是我的 docker-compose.yml 文件
version: "3.8"
services:
traefik:
networks:
- d_local
image: traefik:v2.8.2
container_name: "d_traefik"
restart: unless-stopped
security_opt:
- no-new-privileges:true
command:
- --serverstransport.insecureskipverify=true
ports:
- "80:80"
- "443:443"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./certs/:/etc/traefik/certs/:ro
- ./static_conf.yml:/traefik.yml:ro
- ./conf/:/etc/traefik/conf/:ro
labels:
- traefik.enable=true
- traefik.docker.network=d_local
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.rule=Host(`knandan.app`)
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.service=api@internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
d_apiapp:
build:
context: apiapp
dockerfile: .docker/Dockerfile
container_name: apiapp
restart: unless-stopped
image: apiapp
domainname: api.knandan.app
ports:
- "8080:80"
networks:
- d_local
volumes:
- "./apiapp:/srv/app"
- "./certs:/etc/ssl/crt"
labels:
- traefik.enable=true
- traefik.http.routers.apiapp.entrypoints=websecure
- traefik.http.routers.apiapp.rule=Host(`api.knandan.app`)
- traefik.http.routers.apiapp.tls=true
- traefik.http.services.apiapp.loadbalancer.server.port=443
- traefik.http.services.apiapp.loadbalancer.server.scheme=https
networks:
d_local:
external: true
当我运行docker-compose 时,我可以看到 traefik 仪表板。 但是当我打开api.knandan.app我得到内部服务器错误
检查日志后,我知道有些 ssl 验证失败,以下是错误 -
time="2022-08-18T07:04:09Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.18.0.2"
我注意到 traefik 正在容器 ip 上而不是在主机名上运行我的容器
level=debug msg="Creating server 0 https://172.18.0.2:443" routerName=apiapp@docker serverName=0 serviceName=apiapp entryPointName=websecure
有人可以帮我解决这个问题吗? 谢谢是提前。
下面是我的 apache 配置 - 在 traefik 后面运行以运行 Laravel 应用程序
Traefik 可能正在使用默认的自动签名证书,我猜想使用自定义证书不支持通配符证书。
所以尝试在配置文件中添加默认证书:
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/knandan-cert.pem
keyFile: /etc/traefik/certs/knandan-cert.key
这是一个有用的链接
您还应该检查 apiapp 卷中指示的目录是否正确,如果 apiapp 是基于 ubuntu 的映像,则它应该是/etc/ssl/certs
而不是/etc/ssl/crt
。
不要在容器名称中使用下划线。 然后容器名称将用作无效的主机名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.