微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

Traefik 无法连接到 acme 服务器

分类:编程问答

如何解决Traefik 无法连接到 acme 服务器

我正在尝试使用 Docker 在我的 Synology NAS (DS918+) 上安装 Traefik。
但是,我收到一条错误消息,指出 Traefik 无法连接 acme 目录/服务器。 (我用“domain.com”替换了我的域

time="2021-03-15T15:41:47Z" level=error msg="Unable to obtain Acme certificate for domains \"domain.com,*.domain.com\" : cannot get Acme client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:34641->127.0.0.11:53: I/O timeout" providerName=dns-cloudflare.acme

我的 docker-compose.yml 文件:(我关注了 this tutorial

version: "3.7"

########################### NETWORKS
networks:
  traefik_default:
    external:
      name: traefik_default
  default:
    driver: bridge

########################### SERVICES
services:
  # Cloudflare-Companion - Automatic CNAME DNS Creation
  cf-companion:
    container_name: cf-companion
    image: tiredofit/traefik-cloudflare-companion:latest
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - TIMEZONE=$TZ
      - TRAEFIK_VERSION=2
      - CF_EMAIL=$CLOUDFLARE_EMAIL # Same as traefik
      # - CF_TOKEN=$CLOUDFLARE_API_TOKEN # Scoped api token not working. Error 10000.
      - CF_TOKEN=$CLOUDFLARE_API_KEY # Same as traefik
      - TARGET_DOMAIN=$DOMAINNAME
      - DOMAIN1=$DOMAINNAME
      - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # copy from Cloudflare Overview page
      - DOMAIN1_PROXIED=TRUE
    #labels:
      # Add hosts specified in rules here to force cf-companion to create the CNAMEs
      # Since cf-companion creates CNAMEs based on host rules,this a workaround for non-docker/external apps
      #- "traefik.http.routers.cf-companion-rtr.rule=HostHeader(`pihole.$DOMAINNAME`) || HostHeader(`hassio.$DOMAINNAME`)"
  # Cloudflare DDNS - Dynamic DNS Updater
  cf-ddns:
    container_name: cf-ddns
    image: oznu/cloudflare-ddns:latest
    restart: always
    environment:
      - API_KEY=$CF_DDNS_KEY
      - ZONE=$DOMAINNAME
      - PROXIED=true
      - RRTYPE=A
      - DELETE_ON_STOP=false
      - DNS_SERVER=1.1.1.1
  # Traefik 2 - Reverse Proxy
  traefik:
    container_name: traefik
    image: traefik:latest # the chevrotin tag refers to v2.2.x
    restart: unless-stopped
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:8080
      - --api=true
      # - --api.insecure=true
      # - --serversTransport.insecureSkipV1erify=true
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG,INFO,WARN,ERROR,FATAL,PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      # - --providers.docker.defaultrule=HostHeader(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services.
      - --entrypoints.https.http.tls.certresolver=dns-cloudflare
      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME
      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME
      # - --entrypoints.https.http.tls.domains[1].main=$DOMAIN # Pulls main cert for second domain
      # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAIN # Pulls wildcard cert for second domain
      - --providers.docker.network=traefik_default
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
      # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
      - --hostresolver.resolvconfig=/resolv.conf
      # DNS server veranderen
    networks:
      traefik_default:
        ipv4_address: 192.168.1.69 # You can specify a static IP
    # networks:
    #   - traefik_default
    dns:
      - 1.1.1.1
      - 1.0.0.1
    security_opt:
      - no-new-privileges:true
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - /volume1/docker/traefik2/rules:/rules # file provider directory
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - /volume1/docker/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting the container
      - /volume1/docker/shared:/shared
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      ## HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      ## HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=HostHeader(`traefik.$DOMAINNAME`)"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file"

我正确设置了所有 DNS 内容traefik 文件夹和 acme.json 文件的权限,我基本上是按照教程一步一步来的,但由于某种原因,我收到了那个错误. 此外,我也收到了这些其他错误,尽管我不知道它们是否重要:

time="2021-03-15T15:41:22Z" level=error msg="middleware \"chain-basic-auth@file\" does not exist" entryPointName=https routerName=traefik-rtr@docker


time="2021-03-15T15:41:23Z" level=warning msg="No domain found in rule HostHeader(`traefik.domain.com`),the TLS options applied for this router will depend on the hostSNI of each request" entryPointName=https routerName=traefik-rtr@docker

The complete log file
有谁知道解决方案?
此致,

解决方法

您能否确认您在 Cloudflare 帐户中为 Traefik 设置了以下 Page Rule

*traefik.example.com/.well-known/acme-challenge/*
SSL: Off

当然,如有必要,请将 *traefik 替换为您的实际子域。

这样做的原因是为此特定端点禁用 Cloudflare,以便在解决 ACME 挑战时不存在代理。

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

苹果市值2025年有望达4万亿美元
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot