我正在使用 docker 和 traefik 设置一个 gitea 实例。我希望它通过让我们加密证书得到保护。
我的 docker-compose.yml 如下所示(我希望有足够的评论):
version: '3'
services:
reverse-proxy:
# The official v2.0 Traefik docker image
image: traefik:v2.0
command:
# Only for development environment
- "--log.level=DEBUG"
- "--log.filePath=/var/log/traefik.log"
- "--api.insecure=true"
# Get Docker as the provider
- "--providers.docker=true"
# Set the ports for the entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Set letsencrypt as the certificate provider
- "--certificatesresolvers.le.acme.email=myemail@lutix.org"
- "--certificatesresolvers.le.acme.storage=/acme.json"
- "--certificatesresolvers.le.acme.tlschallenge=true"
# let's encrypt staging server
- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock" # So that Traefik can listen to the Docker events
- "./volumes/traefik/acme.json:/acme.json"
- "./volumes/traefik/traefik.log:/var/log/traefik.log"
gitea:
image: gitea/gitea
depends_on:
- "mysql"
- "reverse-proxy"
- "phpmyadmin"
ports:
- "10022:22"
volumes:
- "./volumes/gitea:/data"
labels:
# WARNING: 2 routers by protocol http and https
- traefik.http.routers.gitea-router-http.rule=Host(`gitea.lutix.org`)
- traefik.http.middlewares.https-redirection.redirectscheme.scheme=https
- traefik.http.routers.gitea-router-http.middlewares=https-redirection
- traefik.http.routers.gitea-router-https.rule=Host(`gitea.lutix.org`)
- traefik.http.routers.gitea-router-https.tls=true
- traefik.http.routers.gitea-router-https.entrypoints=websecure
- traefik.http.routers.gitea-router-https.tls.certresolver=le
- traefik.http.services.gitea-service.loadbalancer.server.port=3000
我认为我的设置是正确的,因为我从很多资源/论坛/stackoverflow 线程中启发了自己。但是 traefik 日志文件中仍然有一条消息我无法解决:
time="2020-02-03T05:26:29Z" level=debug msg="Domains
[\"gitea.lutix.org\"] need ACME certificates generation for domains \"gitea.lutix.org\"." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Loading ACME certificates [gitea.lutix.org]..." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Building ACME client..." providerName=le.acme
time="2020-02-03T05:26:29Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="Using TLS Challenge provider." providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Obtaining bundled SAN certificate"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: use tls-alpn-01 solver"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Trying to solve TLS-ALPN-01"
time="2020-02-03T05:26:33Z" level=debug msg="TLS Challenge Present temp certificate for gitea.lutix.org" providerName=acme
到目前为止,一切都很好
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54496: remote error: tls: bad certificate"
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54500: remote error: tls: bad certificate"
混乱开始!
time="2020-02-03T05:26:44Z" level=debug msg="TLS Challenge CleanUp temp certificate for gitea.lutix.org" providerName=acme
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870" time="2020-02-03T05:26:45Z" level=error msg="Unable to obtain ACME certificate for domains \"gitea.lutix.org\": unable to generate a certificate for the domains [gitea.lutix.org]: acme: Error -> One or more domains had a problem:\n[gitea.lutix.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested gitea.lutix.org from 51.178.81.120:443. Received 1 certificate(s), first certificate had names \"76d2ebffd72f6bb3d856428cc95f40dd.e9be2fb72c5ca69e4dcd01423ff5db73.traefik.default, traefik default cert\", url: \n" providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:27:08Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:08Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54504: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54512: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54516: remote error: tls: bad certificate"
我遇到此 TLS 握手错误的原因可能是什么?关于防火墙,为了测试,所有规则都已停用。我能做些什么来获得更多关于 TLS 握手失败的信息?我应该切换到另一个挑战,如 http 或 dns 吗?