Traefik ACME DNS挑战不与码头合作

Question

我正在尝试将Traefik配置为运行在DigitalOcean服务器上的坞容器的代理。

以下是我的Traefik容器配置：

version: '2'

services:
  traefik:
    image: traefik
    restart: always
    command: --docker
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - $PWD/traefik.toml:/traefik.toml
      - $PWD/acme.json:/acme.json
    container_name: traefik
    environment:
      DO_AUTH_TOKEN: abcd
    labels:
      - traefik.frontend.rule=Host:monitor.example.com
      - traefik.port=8080

networks:
  proxy:
    external: true

和traefik.toml，

defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
  [web.auth.basic]
  users = ["admin:secretpassword"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
[acme]
email = "lakshmi@example.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
  [acme.dnsChallenge]
    provider = "digitalocean"
    delayBeforeCheck = 0

当我试图访问https://monitor.example.com时，会得到以下错误：

traefik    | time="2018-05-29T15:35:32Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.com\" detected thanks to rule \"Host:monitor.example.com\" : cannot obtain certificates: acme: Error -> One or more domains had a problem:\n[monitor.example.com] Error presenting token: HTTP 403: forbidden: You do not have access for the attempted action.\n"

我给出了一个有效的DO令牌，并将monitor.example.com指向运行Traefik的VM。我是不是错过了任何一步？

Answer 1

我得到了一个403，因为Traefik试图使用DigitalOcean令牌在我的read-only域中为ACME挑战编写TXT条目。我把它换成了read-write令牌，它运行得很好。

Answer 2

对于有此问题的其他任何人，请确保acme.json具有600个权限。不要自己创建或触摸acme.json。让Traefik创造它。在创建pod之后，检查acme.json上的权限。我发现的问题是Traefik创建acme.json并将其设置为600。运行升级后，acme.json更改为660，并开始给出“未知解析器让加密”错误。修复程序必须取消对Traefik图表中的initContainers行的注释。基本上，它在启动前将权限设置为600。无趣但有效。

deployment:
  enabled: true
  # Can be either Deployment or DaemonSet
  kind: Deployment
  replicas: 1
  annotations: {}
  labels: {}
  podAnnotations: {}
  podLabels: {}
  additionalContainers: []
  volumeMounts:
    - name: csi-pvc 
  initContainers: 
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /data/*"]
      volumeMounts:
        - name: csi-pvc
          mountPath: /data
  dnsPolicy: ClusterFirstWithHostNet
  imagePullSecrets: []