首页 文章

证书不会自动创建 - Docker-Compose,Traefik,让我们加密,

提问于
浏览
0

我已经设置了我的第一个home-docker-stack:

  • DDNS帐户 - >没有机会获得子域名 - >使用端口 .

  • 配置https-proxy,以便每个容器不需要https-configuration - >使用traefik .

现在我有一个带有以下内容的traefik.toml:

defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"
debug = true

[web]
address = ":8080"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[acme]
email = "MY_EMAIL_ADDRESS"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
onDemand = true
OnHostRule = false

[acme.httpChallenge]
entryPoint = "http"

[docker]
domain = "MY_DOMAIN"
watch = true

还有一个docker-compose.yml,如下所示:

version: '3.4'

services:

  db:
    image: mariadb:10.1
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=SOMEPASSWORD
    env_file:
      - db.env

  wordpress:
    image: wordpress:apache
    restart: always
    ports:
      - "8001:80"
    environment:
      - WORDPRESS_DB_HOST=db
      - WORDPRESS_DB_PASSWORD=SOMEPASSWORD
      - WORDPRESS_DB_NAME=wordpress
    depends_on:
      - db
    networks:
      - default
      - traefik-net
    deploy:
      replicas: 1
      labels:
        - "traefik.enable=true"
        - "traefik.port=8001"
        - "traefik.docker.network=traefik-net"

  traefik:
    image: traefik:1.5-alpine
    restart: always
    networks:
      - traefik-net
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/traefik/traefik.toml:/etc/traefik/traefik.toml:ro
      - /home/traefik/acme:/etc/traefik/acme
    privileged: true
    container_name: traefik

volumes:
  db:

networks:
  traefik-net:

如果我现在尝试按如下方式访问我的traefik实例:

https://MY_DOMAIN/

客户端返回(不受信任的自签名证书):

Dem Zertifikat wird nicht vertraut, weil es vom Aussteller selbst signiert wurde.

traefik日志包含:

traefik      | time="2018-03-19T13:29:29Z" level=debug msg="Looking for provided certificate to validate MY_DOMAIN..." 
traefik      | time="2018-03-19T13:29:29Z" level=debug msg="No provided certificate found for domains MY_DOMAIN, get ACME certificate." 
traefik      | time="2018-03-19T13:29:29Z" level=debug msg="Looking for an existing ACME challenge for MY_DOMAIN..." 
traefik      | time="2018-03-19T13:29:29Z" level=debug msg="http2: server: error reading preface from client 80.129.18.33:44700: remote error: tls: unknown certificate authority"

有谁知道为什么证书的生成没有开始?我该怎么办?

THX提前!

docker docker-compose lets-encrypt traefik

1 回答

  • 0

    Traefik将通过docker网络访问您的容器,在docker网络中,您在docker-compose文件中的 ports 映射中设置的端口没有任何意义 . ports 只是将容器端口映射到其中一个主机端口 .

    因此,您应该告诉traefik使用的端口(通过标签)是 80 ,即网络服务器侦听的端口 . 你可以删除端口映射,因为这只是对主机,如果Traefik有为http打开的端口,它会将请求路由到你的容器(通过暴露的端口,应该是80) .

    只要您的容器位于网络中, exposed 端口就可用于网络中的所有其他容器 .

    另一个说明:

    您使用3.x版本在docker-compose文件中 . 所有3.x版本都是 swarm 特定的,所以对于非swarm文件坚持2.x .

    回复于

相关问题