Traefik ssl 容器 - '500 Internal Server Error' 由以下原因引起：x509：證書對 127.0.0.1、::1 有效，而不是 172.xxx

Question

我正在使用traefik:v2.8.2和在端口 80 和 443 上運行 apache 的容器。Apache 將端口 80 請求重定向到端口 443。

下面是我的 traefik.yml 文件 -

# configure logs
log:
  level: DEBUG # Set to 'DEBUG' for troubleshooting

# configure entry points
entryPoints:
  web:
    address: ":80"
    http:
      redirections: # http to https redirection
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
  postgres:
    address: ":5432"
# configure providers
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock" # connection to the docker daemon
    exposedByDefault: false # ignore containers without label 'traefik.enable=true'
  file:
    directory: "/etc/traefik/conf" # directory for dynamic traefik configuration files
    watch: true # changes are processed immediately

# configure api service
api:
  dashboard: true # enable the traefik dashboard

下面是我的 tls 配置

tls:
  certificates:
    - certFile: "/etc/traefik/certs/knandan-cert.pem"
      keyFile: "/etc/traefik/certs/knandan-key.pem"

下面是我的 docker-compose.yml 文件

version: "3.8"

services:
  traefik:
    networks:
      - d_local
    image: traefik:v2.8.2
    container_name: "d_traefik"
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    command:
      - --serverstransport.insecureskipverify=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro 
      - ./certs/:/etc/traefik/certs/:ro 
      - ./static_conf.yml:/traefik.yml:ro 
      - ./conf/:/etc/traefik/conf/:ro 
    labels:
      - traefik.enable=true 
      - traefik.docker.network=d_local
      - traefik.http.routers.traefik.entrypoints=websecure 
      - traefik.http.routers.traefik.rule=Host(`knandan.app`) 
      - traefik.http.routers.traefik.tls=true 
      - traefik.http.routers.traefik.service=api@internal 
      - traefik.http.services.traefik.loadbalancer.server.port=8080

  d_apiapp:
    build:
      context: apiapp
      dockerfile: .docker/Dockerfile
    container_name: apiapp
    restart: unless-stopped
    image: apiapp
    domainname: api.knandan.app
    ports:
      - "8080:80"
    networks:
      - d_local
    volumes:
      - "./apiapp:/srv/app"
      - "./certs:/etc/ssl/crt"
    labels:
      - traefik.enable=true
      - traefik.http.routers.apiapp.entrypoints=websecure
      - traefik.http.routers.apiapp.rule=Host(`api.knandan.app`)
      - traefik.http.routers.apiapp.tls=true
      - traefik.http.services.apiapp.loadbalancer.server.port=443
      - traefik.http.services.apiapp.loadbalancer.server.scheme=https
networks:
  d_local:
    external: true

當我運行docker-compose 時，我可以看到 traefik 儀表板。 但是當我打開api.knandan.app我得到內部服務器錯誤

檢查日志后，我知道有些 ssl 驗證失敗，以下是錯誤 -

time="2022-08-18T07:04:09Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.18.0.2" 

我注意到 traefik 正在容器 ip 上而不是在主機名上運行我的容器

level=debug msg="Creating server 0 https://172.18.0.2:443" routerName=apiapp@docker serverName=0 serviceName=apiapp entryPointName=websecure

有人可以幫我解決這個問題嗎？ 謝謝是提前。

下面是我的 apache 配置 - 在 traefik 后面運行以運行 Laravel 應用程序

1. 000-default.conf

   

2. 000-默認-ssl.conf

Answer 1

Traefik 可能正在使用默認的自動簽名證書，我猜想使用自定義證書不支持通配符證書。

所以嘗試在配置文件中添加默認證書：

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/knandan-cert.pem
        keyFile: /etc/traefik/certs/knandan-cert.key

這是一個有用的鏈接

您還應該檢查 apiapp 卷中指示的目錄是否正確，如果 apiapp 是基於 ubuntu 的映像，則它應該是/etc/ssl/certs而不是/etc/ssl/crt 。

Answer 2

不要在容器名稱中使用下划線。 然后容器名稱將用作無效的主機名。