ACME证书因Traefik超时 [英] ACME certificates timeout with traefik
问题描述
你好!
我在找出出现此错误的原因时遇到了问题.尝试谷歌搜索.从容器中查找dns似乎是一个问题.
traefik日志中的错误:
time ="2020-01-30T12:12:12 + 01:00" level = error msg =无法获取域\" traefik.xyz.se \的ACME证书:无法获取ACME客户端在"https://acme-v02.api.letsencrypt.org/directory"上获取目录:获得https://acme-v02.api.letsencrypt.org/directory:拨打tcp:查找acme-v02.api.letsencrypt.org.127.0.0.11:53:读取udp 127.0.0.1:54773->127.0.0.11:53:I/O超时"providerName = cloudflare.acme routerName = traefik-secure @ docker rule =" Host(`traefik.xyz.se`)"time ="2020-01-30T12:12:32 + 01:00" level = error msg =无法获取域\" hivemq.xyz.se \的ACME证书:无法在'https:处获取ACME客户端获取目录//acme-v02.api.letsencrypt.org/directory":获取https://acme-v02.api.letsencrypt.org/directory:拨打tcp:在127.0.0.11上查找acme-v02.api.letsencrypt.org:53:读取udp 127.0.0.1:53671->127.0.0.11:53:I/O超时"rule =" Host(`hivemq.xyz.se`)"providerName = cloudflare.acme routerName = hivemq-secure @ docker
无法从traefik容器中查找google.不知道这是否按预期工作?
/o/a/traefik>泊坞窗exec -it traefik/bin/sh/#nslookup google.senslookup:无法解析'(null)':名称无法解析nslookup:无法解析"google.se":再试一次/#
Traefik docker-compose.yaml
版本:"3"服务:traefik:图片:traefik:v2.1container_name:traefik重新启动:除非已停止security_opt:-没有新特权:是网络:- 代理人端口:-80:80-443:443环境:-CF_API_EMAIL =已编辑-CF_API_KEY =已编辑数量:-/etc/localtime:/etc/localtime:ro-/var/run/docker.sock:/var/run/docker.sock:ro-./data/traefik.yml:/traefik.yml:ro-./data/acme.json:/acme.json-./data/config.yml:/config.yml:ro标签:-"traefik.enable = true"-"traefik.http.routers.traefik.entrypoints = http"-"traefik.http.routers.traefik.rule = Host(`traefik.xyz.se`)"-"traefik.http.middlewares.traefik-auth.basicauth.users =已编辑"-"traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme = https"-"traefik.http.routers.traefik.middlewares = traefik-https-redirect"-"traefik.http.routers.traefik-secure.entrypoints = https"-"traefik.http.routers.traefik-secure.rule = Host(`traefik.xyz.se`)"-"traefik.http.routers.traefik-secure.middlewares = traefik-auth"-"traefik.http.routers.traefik-secure.tls = true"-"traefik.http.routers.traefik-secure.tls.certresolver = cloudflare"-"traefik.http.routers.traefik-secure.tls.domains [0] .main = xyz.se"-"traefik.http.routers.traefik-secure.tls.domains [0] .sans = *.xyz.se"-"traefik.http.routers.traefik-secure.service=api@internal"网络:代理人:外部:真
data/traefik.yml:
api:仪表板:true调试:trueentryPoints:http:地址::80"https:地址::443"提供者:码头工人:端点:"unix:///var/run/docker.sock"暴露的默认值:假文件:档名:/config.yml证书解析器:耀斑:acme:电子邮件:已编辑存储:acme.jsondns挑战:提供者:cloudflaredelayBeforeCheck:0解析器:-"1.1.1.1:53"-"8.8.8.8:53"
服务示例(hivemq)docker-compose.yml:
版本:"3"服务:hivemq:图片:hivemq/hivemq4container_name:hivemq重新启动:除非已停止security_opt:-没有新特权:是端口:-1883:1883数量:-/etc/localtime:/etc/localtime:ro-/etc/timezone:/etc/timezone:ro标签:-"traefik.enable = true"-"traefik.http.routers.hivemq.entrypoints = http"-"traefik.http.routers.hivemq.rule = Host(`hivemq.xyz.se`)"-"traefik.http.routers.hivemq.middlewares=https-redirect@file"-"traefik.http.routers.hivemq-secure.middlewares=secured@file"-"traefik.http.routers.hivemq-secure.entrypoints = https"-"traefik.http.routers.hivemq-secure.rule = Host(`hivemq.xyz.se`)"-"traefik.http.routers.hivemq-secure.tls = true"-"traefik.http.routers.hivemq-secure.service = hivemq"-"traefik.http.services.hivemq.loadbalancer.server.port = 8080"-"traefik.docker.network = proxy"网络:- 内部的- 代理人网络:代理人:外部:真内部的:外部:假
我也尝试过重新安装docker-ce,没有帮助.
我遇到了类似的问题,这是由于Docker的错误所致:我所有的容器都失去了与互联网的连接,但是它们都已被移除以进行维护puprose,所以我看不到.
在日志中,无法获取ACME客户端获取目录
表示Traefik无法连接到让我们加密" URL.
我通过以下方式解决了此问题:
- 删除Traefik堆栈
- 修剪网络,以删除traefik-public
- 重新启动Docker服务
如果还不够,您可以尝试以下方法:
- 尝试重新启动Docker引擎,它将重置所有iptables规则(假设您在Linux上使用Docker)
- 尝试重新启动整个计算机
- 尝试禁用(临时)计算机的防火墙以验证它可以解决此问题
多年来,我快速浏览了有关连接松动的Docker错误,似乎一团糟:
Unable to lookup google from within traefik container. Don't know if this is working as intended?
/o/a/traefik> docker exec -it traefik /bin/sh
/ # nslookup google.se
nslookup: can't resolve '(null)': Name does not resolve
nslookup: can't resolve 'google.se': Try again
/ #
Traefik docker-compose.yaml
version: '3'
services:
traefik:
image: traefik:v2.1
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=redacted
- CF_API_KEY=redacted
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
- ./data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.xyz.se`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=redacted"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.xyz.se`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=xyz.se"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.xyz.se"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
data/traefik.yml:
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: redacted
storage: acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 0
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
Service example (hivemq) docker-compose.yml:
version: "3"
services:
hivemq:
image: hivemq/hivemq4
container_name: hivemq
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 1883:1883
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.hivemq.entrypoints=http"
- "traefik.http.routers.hivemq.rule=Host(`hivemq.xyz.se`)"
- "traefik.http.routers.hivemq.middlewares=https-redirect@file"
- "traefik.http.routers.hivemq-secure.middlewares=secured@file"
- "traefik.http.routers.hivemq-secure.entrypoints=https"
- "traefik.http.routers.hivemq-secure.rule=Host(`hivemq.xyz.se`)"
- "traefik.http.routers.hivemq-secure.tls=true"
- "traefik.http.routers.hivemq-secure.service=hivemq"
- "traefik.http.services.hivemq.loadbalancer.server.port=8080"
- "traefik.docker.network=proxy"
networks:
- internal
- proxy
networks:
proxy:
external: true
internal:
external: false
I have also tried reinstalling docker-ce, didn't help.
I had a similar issue and it was due to a bug of Docker: all my containers had lost their connection to the internet but they were all already removed for maintenance puprose so I couldn't see it.
In the logs, cannot get ACME client get directory
means that Traefik cannot connect to Let's Encrypt url.
I fixed it by:
- Removing Traefik stack
- Pruning networks so traefik-public was removed
- Restarting Docker service
If it's not enough, you can try these:
- Try to restart the Docker Engine, which will reset any iptables rules (assuming you are using Docker on Linux)
- Try to restart your whole machine
- Try to disable (temporary) the firewall of your machine to verify that it fixes the issue
As mentioned here: https://community.containo.us/t/cannot-create-renew-acme-certificate-cannot-get-acme-client-get-directory/2469/2
I gave a rapid look around concerning Docker bugs about loosing connection and seems to be a mess, for years: https://github.com/moby/moby/issues/15172
这篇关于ACME证书因Traefik超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!