Docker Traefik无法解析DNS (无法到达服务器并获得证书)

Question

在下面的问题上搜索显示，这还不是第一次发布，然而，他们都没有给出真正的答案。

当开始时，Traefik (v2.2.1aka.)作为Docker中的容器，无论我尝试了什么，我都会得到以下错误：

time="2020-05-24T15:48:57Z" level=error msg="Unable to obtain ACME certificate for domains \"<my domain>\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:44687->127.0.0.11:53: i/o timeout" routerName=traefik@docker rule="Host(`<my domain>`)" providerName=le.acme

检查https://letsencrypt.status.io/，这似乎不是我们加密服务器的问题

​

​

我在服务器Debian 10上尝试了两种不同的OSs，UbuntuServer18.04和20.04。在安装操作系统时，我总是遵循我为自己创建的指南：https://gist.github.com/D3strukt0r/5aaba1a021d16b31fa19adf6eb26a102

是的，我在系统中做的尽可能少，对容器做得越多越好。

以下是我在Traefik的docker-compose.yml

version: "2"

# Manage domain access to services
services:
  traefik:
    container_name: traefik
    image: traefik
    command:
      - --log.level=DEBUG
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=traefik_proxy
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      - --certificatesresolvers.le.acme.email=${ACME_EMAIL}
      - --certificatesresolvers.le.acme.storage=acme.json
      - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.le.acme.dnschallenge=true
      - --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
      # - --certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
    restart: always
    networks:
      - traefik_proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      #- ./acme.json:/acme.json
      - ./acme_testing.json:/acme.json
    environment:
      CF_API_EMAIL: ${CF_API_EMAIL}
      CF_API_KEY: ${CF_API_KEY}
    labels:
      - traefik.enable=true

      - traefik.http.routers.traefik0.entrypoints=http
      - traefik.http.routers.traefik0.rule=Host(`<my domain>`)
      - traefik.http.routers.traefik0.middlewares=to_https

      - traefik.http.routers.traefik.entrypoints=https
      - traefik.http.routers.traefik.rule=Host(`<my domain>`)
      - traefik.http.routers.traefik.middlewares=traefik_auth
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=le
      - traefik.http.routers.traefik.service=api@internal

      # Declaring the user list
      #
      # Note: all dollar signs in the hash need to be doubled for escaping.
      # To create user:password pair, it's possible to use this command:
      # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
      - traefik.http.middlewares.traefik_auth.basicauth.users=${TRAEFIK_USERS}

      # Standard middleware for other containers to use
      - traefik.http.middlewares.to_https.redirectscheme.scheme=https
      - traefik.http.middlewares.to_https_perm.redirectscheme.scheme=https
      - traefik.http.middlewares.to_https_perm.redirectscheme.permanent=true

networks:
  traefik_proxy:
    external: true

其中的文件夹结构：

root@server:/opt/traefik# ls -Al
total 8
-rw------- 1 root root      0 May 24 00:37 acme.json
-rw------- 1 root root      0 May 24 00:37 acme_testing.json
-rw-rw-r-- 1 root docker 2406 May 24 18:04 docker-compose.yml
-rw-rw-r-- 1 root docker  185 May 23 23:49 .env

配置就是这样。

外部的nslookup将提供以下内容：

root@server:/opt/traefik# nslookup acme-staging-v02.api.letsencrypt.org
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
acme-staging-v02.api.letsencrypt.org    canonical name = staging.api.letsencrypt.org.
staging.api.letsencrypt.org     canonical name = 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com.
Name:   56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Address: 172.65.46.172
Name:   56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Address: 2606:4700:60:0:f41b:d4fe:4325:6026

容器内的nslookup将提供以下内容：

manuele@server:/opt$ docker exec -it traefik /bin/sh
/ # nslookup acme-staging-v02.api.letsencrypt.org
;; connection timed out; no servers could be reached

也许为了获得更多的信息，这里也有日志

root@server:/opt/traefik# docker-compose up
Recreating traefik ... done
Attaching to traefik
traefik    | time="2020-05-24T16:05:34Z" level=info msg="Configuration loaded from flags."
traefik    | time="2020-05-24T16:05:34Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik_proxy\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"le\":{\"acme\":{\"email\":\"<ACME Email>\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"}}}}}"
traefik    | time="2020-05-24T16:05:34Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
traefik    | time="2020-05-24T16:05:34Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Start TCP Server" entryPointName=https
traefik    | time="2020-05-24T16:05:34Z" level=info msg="Starting provider *acme.Provider {\"email\":\"<ACME Email>\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"le\",\"store\":{},\"ChallengeStore\":{}}"
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Start TCP Server" entryPointName=http
traefik    | time="2020-05-24T16:05:34Z" level=info msg="Testing certificate renew..." providerName=le.acme
traefik    | time="2020-05-24T16:05:34Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik_proxy\",\"swarmModeRefreshSeconds\":15000000000}"
traefik    | time="2020-05-24T16:05:34Z" level=info msg="Starting provider *traefik.Provider {}"
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Configuration received from provider le.acme: {\"http\":{},\"tls\":{}}" providerName=le.acme
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Provider connection established with docker 19.03.9 (API 1.40)" providerName=docker
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"traefik\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"traefik_auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`<my domain>`)\",\"tls\":{\"certResolver\":\"le\"}},\"traefik0\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"to_https\"],\"service\":\"traefik-traefik\",\"rule\":\"Host(`<my domain>`)\"}},\"services\":{\"traefik-traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"to_https\":{\"redirectScheme\":{\"scheme\":\"https\"}},\"to_https_perm\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}},\"traefik_auth\":{\"basicAuth\":{\"users\":[\"<traefik users>\"]}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" serviceName=traefik-traefik entryPointName=http routerName=traefik0@docker middlewareName=pipelining middlewareType=Pipelining
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Creating load-balancer" entryPointName=http routerName=traefik0@docker serviceName=traefik-traefik
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Creating server 0 http://172.18.0.2:80" routerName=traefik0@docker serviceName=traefik-traefik serverName=0 entryPointName=http
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Added outgoing tracing middleware traefik-traefik" middlewareType=TracingForwarder routerName=traefik0@docker entryPointName=http middlewareName=tracing
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" entryPointName=http routerName=traefik0@docker middlewareName=to_https@docker middlewareType=RedirectScheme
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Setting up redirection to https " entryPointName=http routerName=traefik0@docker middlewareName=to_https@docker middlewareType=RedirectScheme
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Adding tracing to middleware" entryPointName=http routerName=traefik0@docker middlewareName=to_https@docker
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=http middlewareName=traefik-internal-recovery
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=https routerName=traefik@docker
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" middlewareType=BasicAuth routerName=traefik@docker entryPointName=https middlewareName=traefik_auth@docker
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Adding tracing to middleware" routerName=traefik@docker middlewareName=traefik_auth@docker entryPointName=https
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Try to challenge certificate for domain [<my domain>] found in HostSNI rule" providerName=le.acme rule="Host(`<my domain>`)" routerName=traefik@docker
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Looking for provided certificate(s) to validate [\"<my domain>\"]..." providerName=le.acme rule="Host(`<my domain>`)" routerName=traefik@docker
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Domains [\"<my domain>\"] need ACME certificates generation for domains \"<my domain>\"." providerName=le.acme rule="Host(`<my domain>`)" routerName=traefik@docker
traefik    | time="2020-05-24T16:05:34Z" level=debug msg="Loading ACME certificates [<my domain>]..." providerName=le.acme rule="Host(`<my domain>`)" routerName=traefik@docker
traefik    | time="2020-05-24T16:05:35Z" level=debug msg="Building ACME client..." providerName=le.acme
traefik    | time="2020-05-24T16:05:35Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
traefik    | time="2020-05-24T16:05:55Z" level=error msg="Unable to obtain ACME certificate for domains \"<my domain>\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:49272->127.0.0.11:53: i/o timeout" routerName=traefik@docker providerName=le.acme rule="Host(`<my domain>`)"

现在另一种选择是使用docker run ...，因此让我们尝试使用：

docker run -it \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v /opt/traefik/acme_testing.json:/acme.json \
    -e CF_API_EMAIL="<Cloudflare Email>" \
    -e CF_API_KEY="<Cloudflare API>" \
    -p 80:80 \
    -p 443:443 \
    --network traefik_proxy \
    --name traefik \
    traefik \
    --log.level=DEBUG \
    --api.dashboard=true \
    --providers.docker=true \
    --providers.docker.exposedbydefault=false \
    --providers.docker.network=traefik_proxy \
    --entrypoints.http.address=:80 \
    --entrypoints.https.address=:443 \
    --certificatesresolvers.le.acme.email="<ACME Email>" \
    --certificatesresolvers.le.acme.storage=acme.json \
    --certificatesresolvers.le.acme.caserver="https://acme-staging-v02.api.letsencrypt.org/directory" \
    --certificatesresolvers.le.acme.dnschallenge=true \
    --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare

这意味着：

root@server:/opt/traefik# docker exec -it traefik /bin/sh
/ # nslookup acme-staging-v02.api.letsencrypt.org
;; connection timed out; no servers could be reached

好吧，再试一次没有网络：

docker run -it \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v /opt/traefik/acme_testing.json:/acme.json \
    -e CF_API_EMAIL="<Cloudflare Email>" \
    -e CF_API_KEY="<Cloudflare API>" \
    -p 80:80 \
    -p 443:443 \
    --name traefik \
    traefik \
    --log.level=DEBUG \
    --api.dashboard=true \
    --providers.docker=true \
    --providers.docker.exposedbydefault=false \
    --providers.docker.network=traefik_proxy \
    --entrypoints.http.address=:80 \
    --entrypoints.https.address=:443 \
    --certificatesresolvers.le.acme.email="<ACME Email>" \
    --certificatesresolvers.le.acme.storage=acme.json \
    --certificatesresolvers.le.acme.caserver="https://acme-staging-v02.api.letsencrypt.org/directory" \
    --certificatesresolvers.le.acme.dnschallenge=true \
    --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare

这导致：

root@server:/opt/traefik# docker exec -it traefik /bin/sh
/ # nslookup acme-staging-v02.api.letsencrypt.org
nslookup: write to '192.168.1.233': Connection refused
Server:         192.168.1.1
Address:        192.168.1.1:53

Non-authoritative answer:
acme-staging-v02.api.letsencrypt.org    canonical name = staging.api.letsencrypt.org
staging.api.letsencrypt.org     canonical name = 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Name:   56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Address: 172.65.46.172

Non-authoritative answer:
acme-staging-v02.api.letsencrypt.org    canonical name = staging.api.letsencrypt.org
staging.api.letsencrypt.org     canonical name = 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Name:   56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com
Address: 2606:4700:60:0:f41b:d4fe:4325:6026

通过所有这些，acme文件仍然是空的，所以问题仍然存在。

root@server:/opt/traefik# ls -Al
total 12
-rw------- 1 root    root       0 May 24 00:37 acme.json
-rw------- 1 root    root       0 May 24 00:37 acme_testing.json
-rw-rw-r-- 1 root    docker  2406 May 24 18:04 docker-compose.yml
-rw-rw-r-- 1 root    docker   185 May 23 23:49 .env

如果有人能帮忙解决这个问题，请提前谢谢。

如果你需要更多的信息，甚至比所有我添加的东西，请随时告诉我，所以我会提供它。

Answer 1

因此，经过几个小时的修补，我发现，这是一个问题，不知何故存在于码头组成的宇宙。解决这个问题的方法其实很简单。

在每个需要与外界对话的容器中添加以下内容：

version: "2"

services:
  <the service>:
    ...
    dns:
      - 1.1.1.1
      - 1.0.0.1
    ...

这将告诉容器内的DNS解析器(低于127.0.0.11)使用这些域，而不是阻止它与外界对话的任何内容。