如何解决Traefik 无法连接到 acme 服务器
我正在尝试使用 Docker 在我的 Synology NAS (DS918+) 上安装 Traefik。
但是,我收到一条错误消息,指出 Traefik 无法连接 acme 目录/服务器。 (我用“domain.com”替换了我的域
time="2021-03-15T15:41:47Z" level=error msg="Unable to obtain Acme certificate for domains \"domain.com,*.domain.com\" : cannot get Acme client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:34641->127.0.0.11:53: I/O timeout" providerName=dns-cloudflare.acme
我的 docker-compose.yml
文件:(我关注了 this tutorial)
version: "3.7"
########################### NETWORKS
networks:
traefik_default:
external:
name: traefik_default
default:
driver: bridge
########################### SERVICES
services:
# Cloudflare-Companion - Automatic CNAME DNS Creation
cf-companion:
container_name: cf-companion
image: tiredofit/traefik-cloudflare-companion:latest
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- TIMEZONE=$TZ
- TRAEFIK_VERSION=2
- CF_EMAIL=$CLOUDFLARE_EMAIL # Same as traefik
# - CF_TOKEN=$CLOUDFLARE_API_TOKEN # Scoped api token not working. Error 10000.
- CF_TOKEN=$CLOUDFLARE_API_KEY # Same as traefik
- TARGET_DOMAIN=$DOMAINNAME
- DOMAIN1=$DOMAINNAME
- DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # copy from Cloudflare Overview page
- DOMAIN1_PROXIED=TRUE
#labels:
# Add hosts specified in rules here to force cf-companion to create the CNAMEs
# Since cf-companion creates CNAMEs based on host rules,this a workaround for non-docker/external apps
#- "traefik.http.routers.cf-companion-rtr.rule=HostHeader(`pihole.$DOMAINNAME`) || HostHeader(`hassio.$DOMAINNAME`)"
# Cloudflare DDNS - Dynamic DNS Updater
cf-ddns:
container_name: cf-ddns
image: oznu/cloudflare-ddns:latest
restart: always
environment:
- API_KEY=$CF_DDNS_KEY
- ZONE=$DOMAINNAME
- PROXIED=true
- RRTYPE=A
- DELETE_ON_STOP=false
- DNS_SERVER=1.1.1.1
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:latest # the chevrotin tag refers to v2.2.x
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
# - --serversTransport.insecureSkipV1erify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG,INFO,WARN,ERROR,FATAL,PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
# - --providers.docker.defaultrule=HostHeader(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services.
- --entrypoints.https.http.tls.certresolver=dns-cloudflare
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME
# - --entrypoints.https.http.tls.domains[1].main=$DOMAIN # Pulls main cert for second domain
# - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAIN # Pulls wildcard cert for second domain
- --providers.docker.network=traefik_default
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
- --hostresolver.resolvconfig=/resolv.conf
# DNS server veranderen
networks:
traefik_default:
ipv4_address: 192.168.1.69 # You can specify a static IP
# networks:
# - traefik_default
dns:
- 1.1.1.1
- 1.0.0.1
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- /volume1/docker/traefik2/rules:/rules # file provider directory
- /var/run/docker.sock:/var/run/docker.sock:ro
- /volume1/docker/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- /volume1/docker/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting the container
- /volume1/docker/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
## HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
## HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=HostHeader(`traefik.$DOMAINNAME`)"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file"
我正确设置了所有 DNS 内容、traefik
文件夹和 acme.json
文件的权限,我基本上是按照教程一步一步来的,但由于某种原因,我收到了那个错误.
此外,我也收到了这些其他错误,尽管我不知道它们是否重要:
time="2021-03-15T15:41:22Z" level=error msg="middleware \"chain-basic-auth@file\" does not exist" entryPointName=https routerName=traefik-rtr@docker
time="2021-03-15T15:41:23Z" level=warning msg="No domain found in rule HostHeader(`traefik.domain.com`),the TLS options applied for this router will depend on the hostSNI of each request" entryPointName=https routerName=traefik-rtr@docker
The complete log file
有谁知道解决方案?
此致,
解决方法
您能否确认您在 Cloudflare 帐户中为 Traefik 设置了以下 Page Rule
?
*traefik.example.com/.well-known/acme-challenge/*
SSL: Off
当然,如有必要,请将 *traefik
替换为您的实际子域。
这样做的原因是为此特定端点禁用 Cloudflare,以便在解决 ACME 挑战时不存在代理。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。