文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >使用traefik时ACME证书超时

使用traefik时ACME证书超时
EN

Stack Overflow用户
提问于 2020-02-03 03:01:41
回答 2查看 2.3K关注 0票数 2

你好!

我在找出我得到这个错误的原因时遇到了问题。我试着用谷歌搜索一下。这似乎是从容器中查找dns的问题。

traefik日志中的错误:

代码语言:javascript
复制
time="2020-01-30T12:12:12+01:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.xyz.se\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:54773->127.0.0.11:53: i/o timeout" providerName=cloudflare.acme routerName=traefik-secure@docker rule="Host(`traefik.xyz.se`)"
time="2020-01-30T12:12:32+01:00" level=error msg="Unable to obtain ACME certificate for domains \"hivemq.xyz.se\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:53671->127.0.0.11:53: i/o timeout" rule="Host(`hivemq.xyz.se`)" providerName=cloudflare.acme routerName=hivemq-secure@docker

无法从traefik容器中查找google。不知道这是否如预期的那样工作?

代码语言:javascript
复制
/o/a/traefik> docker exec -it traefik /bin/sh
/ # nslookup google.se
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'google.se': Try again
/ #

Traefik docker-compose.yaml

代码语言:javascript
复制
version: '3'

services:
  traefik:
    image: traefik:v2.1
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=redacted
      - CF_API_KEY=redacted
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/config.yml:/config.yml:ro
    labels:
  - "traefik.enable=true"
  - "traefik.http.routers.traefik.entrypoints=http"
  - "traefik.http.routers.traefik.rule=Host(`traefik.xyz.se`)"
  - "traefik.http.middlewares.traefik-auth.basicauth.users=redacted"
  - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
  - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
  - "traefik.http.routers.traefik-secure.entrypoints=https"
  - "traefik.http.routers.traefik-secure.rule=Host(`traefik.xyz.se`)"
  - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
  - "traefik.http.routers.traefik-secure.tls=true"
  - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
  - "traefik.http.routers.traefik-secure.tls.domains[0].main=xyz.se"
  - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.xyz.se"
  - "traefik.http.routers.traefik-secure.service=api@internal"    
networks:
  proxy:
    external: true

data/traefik.yml:

代码语言:javascript
复制
api:
  dashboard: true
  debug: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml

certificatesResolvers:
  cloudflare:
    acme:
      email: redacted
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

服务示例(hivemq) docker-compose.yml:

代码语言:javascript
复制
version: "3"

services:
  hivemq:
    image: hivemq/hivemq4
    container_name: hivemq
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - 1883:1883
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hivemq.entrypoints=http"
      - "traefik.http.routers.hivemq.rule=Host(`hivemq.xyz.se`)"
      - "traefik.http.routers.hivemq.middlewares=https-redirect@file"
      - "traefik.http.routers.hivemq-secure.middlewares=secured@file"
      - "traefik.http.routers.hivemq-secure.entrypoints=https"
      - "traefik.http.routers.hivemq-secure.rule=Host(`hivemq.xyz.se`)"
      - "traefik.http.routers.hivemq-secure.tls=true"
      - "traefik.http.routers.hivemq-secure.service=hivemq"
      - "traefik.http.services.hivemq.loadbalancer.server.port=8080"
      - "traefik.docker.network=proxy"
    networks:
      - internal
      - proxy

networks:
  proxy:
    external: true
  internal:
    external: false

我也尝试过重新安装docker-ce,但没有帮助。

docker
dns
traefik
EN

回答 2

Stack Overflow用户

发布于 2020-04-26 18:03:04

我遇到了类似的问题,这是由于Docker的一个bug造成的:我所有的容器都失去了与互联网的连接,但它们都为了维护而被移除了,所以我看不到它。

在日志中,cannot get ACME client get directory表示Traefik无法连接到Let's Encrypt url。

我通过以下方式修复它:

  • 删除Traefik堆栈

服务修剪网络以便删除traefik-

  • 重新启动Docker

如果还不够,你可以试试这些:

  • 尝试重新启动Docker引擎,这将重置所有iptables规则(假设您在Linux上使用Docker )
  • 尝试重新启动您的整台计算机
  • 尝试禁用(临时)计算机的防火墙以验证它是否修复了问题

正如这里提到的:https://community.containo.us/t/cannot-create-renew-acme-certificate-cannot-get-acme-client-get-directory/2469/2

多年来,我快速查看了一下关于连接丢失的Docker bug,似乎是一团糟:https://github.com/moby/moby/issues/15172

票数 1
EN

Stack Overflow用户

发布于 2020-02-28 17:03:54

我不是docker专家,但我遇到了类似的问题,并通过在docker守护进程上激活ipv6来修复它:

代码语言:javascript
复制
% grep ipv6 /etc/docker/daemon.json
    "ipv6": true`

然后你需要重新加载docker守护进程

代码语言:javascript
复制
% sudo systemctl reload docker
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/60029532

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档