在Traefik 1.5.0-rc5中使用新的httpChallenge的问题 [英] Issues getting new httpChallenge working in Traefik 1.5.0-rc5

问题描述

在尝试升级到最新的traefik版本以能够从LetsEncrypt生成TLS证书时，在证书生成时间方面遇到了一个问题。

In trying to upgrade to the latest traefik version to be able to generate TLS certs from LetsEncrypt, I've come across a problem when it comes to cert generation time.

此操作以前在 traefik：1.4 上使用 acme.ondemand 标志和其他设置（减去 httpChallenge 键）。

This worked previously on traefik:1.4 using the acme.ondemand flag and the other settings (minus the httpChallenge keys of course).

traefik:
  image: traefik:1.5.0-rc5-alpine
  ports:
    - 80:80/tcp
    - 443:443/tcp
  command:
    - --web
    - --rancher
    - --rancher.metadata
    - --acme
    - --acme.email=my@email.com
    - --acme.onhostrule
    - --acme.httpchallenge
    - --acme.httpchallenge.entrypoint=http
    - --acme.entrypoint=https
    - --acme.storage=/data/acme.json
    - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
    - --entryPoints=Name:https Address::443 TLS
    - --accesslog
    - --accesslog.format=json
    - --debug

Openssl s_client结果为not尚未存在的证书

Openssl s_client result of not-yet-existant cert

CONNECTED(00000003)
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=TRAEFIK DEFAULT CERT
  i:/CN=TRAEFIK DEFAULT CERT
---
...
Verify return code: 21 (unable to verify the first certificate)

Traefik日志

time = 2018-01-16T19：17：49Z level = debug msg =正在寻找提供的证书来验证[mysite.com] ...
time = 2018-01-16T19：17：49Z level = debug msg =未为域[mysite.com]找到提供的证书，请获取ACME证书。
time = 2018-01-16T19：17：49Z level = debug msg =正在为mysite.com寻找现有的ACME挑战...
time = 2018-01-16T19： 17：49Z level = debug msg =未为mysite.com找到或生成证书

试图缩小到一个toml

Attempting to narrow down to just a toml file with the same config to determine if that's the problem or not.

推荐答案

最后，我发现问题出在实际上

I found that in the end, the problem was actually that I didn't have a container matching the host that I was testing against, running in my cluster.

我使用的是 openssl s_client -connect，所以我没有与要测试的主机匹配的容器。

I was using openssl s_client -connect host:443 -servername mysite.com, however I didn't realize that in the cluster I was targeting, there was no container with a label of traefik.frontend.rule=Host:mysite.com.

因此，从traefik的角度来看，我只是得到了404，最终使用了默认的traefik证书。卷曲时-我从未获得过404，因为我从未经历过TLS握手。

Therefore, I was just getting a 404 from traefik's perspective, which ended up using the default traefik cert. When curl'ing - I never got the 404 since I never got past the TLS handshake.

这篇关于在Traefik 1.5.0-rc5中使用新的httpChallenge的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！