我尝试设置 Traefik 以使用 DNS 质询从 Let's Encrypt 获取证书,并使用此证书保护 whoami 应用程序。我设法获得了证书(很好地存在于 acme.json 文件中),但我的 IngressRoute 没有将这些证书用于路由。
我的集群是一个 K3D 集群。
我从官方 Helm Chart 部署 Traefik v2: helm install traefik traefik/traefik -f traefik-values.yaml
我为图表定义了这些值:
additionalArguments:
- --log.level=TRACE
- --certificatesresolvers.le.acme.email=<MY_EMAIL>
- --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=route53
- --certificatesresolvers.le.acme.dnschallenge.delayBeforeCheck=60
- --certificatesresolvers.le.acme.dnschallenge.resolvers=8.8.8.8:53
- --certificatesresolvers.le.acme.storage=/data/acme.json
- --entrypoints.web.http.redirections.entryPoint.to=:443
- --entrypoints.web.http.redirections.entryPoint.scheme=https
persistence:
enabled: true
path: /data
env:
- name: AWS_REGION
value: eu-west-1
- name: AWS_HOSTED_ZONE_ID
value: <MY_AWS_HOSTED_ZONE_ID>
- name: AWS_ACCESS_KEY_ID
value: <MY_AWS_ACCESS_KEY_ID>
- name: AWS_SECRET_ACCESS_KEY
value: <MY_AWS_SECRET_ACCESS_KEY>
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami:v1.5.0
---
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
type: ClusterIP
ports:
- port: 80
name: whoami
selector:
app: whoami
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-tls
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`test.mydomain.com`) || Path(`/whoami`)
services:
- name: whoami
port: 80
tls:
certResolver: le
domains:
- main: "*.test.mydomain.com"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] acme: Registering account for MY_EMAIL"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Obtaining bundled SAN certificate"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/118300931"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: use dns-01 solver"
time="2020-09-24T14:04:04Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Preparing to solve DNS-01"
time="2020-09-24T14:04:05Z" level=debug msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2020-09-24T14:05:16Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Trying to solve DNS-01"
time="2020-09-24T14:05:16Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Checking DNS record propagation using [8.8.8.8:53]"
time="2020-09-24T14:05:20Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]"
time="2020-09-24T14:06:24Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] The server validated our request"
time="2020-09-24T14:06:24Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Cleaning DNS-01 challenge"
time="2020-09-24T14:06:25Z" level=debug msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2020-09-24T14:07:21Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] acme: Validations succeeded; requesting certificates"
time="2020-09-24T14:07:23Z" level=debug msg="legolog: [INFO] [*.test.mydomain.com] Server responded with a certificate."
time="2020-09-24T14:07:24Z" level=debug msg="Looking for provided certificate(s) to validate [\"*.test.mydomain.com\"]..." providerName=le.acme
time="2020-09-24T14:07:24Z" level=debug msg="No ACME certificate generation required for domains [\"*.test.mydomain.com\"]." providerName=le.acme
问题与非通配符证书相同。
为什么我的路线不使用 LE 证书?
预先感谢您的帮助。
最佳答案
我刚刚将我的网站从 new.example.com 移出至example.com链接到托管在不同服务器上的旧版本网站。
traefik 没有使用自动的 Let's encrypt 证书,而是使用了默认证书。 dns记录更改后的一个小时内,它才开始使用自动证书。我还没有更新配置。我认为这可能与 this 有关和 this在 traefik 的 github 上发布的问题。
如果它实际上与“chicken-and-egg problem as the domain shouldn't be moved to the new server before the keys work, and keys can't be requested before the domain works ”有关,我建议使用 user-defined certificates dns 更新后 24 小时。然后回退到自动证书应该是安全的。
一些细节
我用了acme configuration来自文档:
certificatesResolvers:
myresolver:
acme:
email: your-email@example.com
storage: acme.json
httpChallenge:
# used during the challenge
entryPoint: web
/etc/traefik/acme/acme.json包含私钥,虽然我不知道它应该如何工作。{
"letsencrypt": {
"Account": {
"Email": "example@mail.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:example@mail.com"
]
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/*******"
},
"PrivateKey": "*******************************************",
"KeyType": "4096"
},
"Certificates": null
}
}
关于ssl - Traefik 使用 DEFAULT CERT 而不是 Let's Encrypt 通配符证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64114704/