Traefik SSL配置

Question

所以，我试图把我的对接者群和traefik一起部署到一簇数字海洋水滴中。我使用traefik作为反向代理和负载均衡器，因此必须使用traefik获得SSL证书。文档看起来很简单，所以我真的不明白我的配置到底出了什么问题。我希望你们能知道我做错了什么。我正在使用通配符域让我的大部分服务作为根domain.So的子域运行，下面是我的toml：

debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]

[retry]

[docker]
  endpoint="unix:///var/run/docker.sock"
  exposedByDefault=true
  watch=true
  swarmmode=true
  domain="mouv.com"

[acme]
  email = "leonardo@mouv.com"
  storage = "acme.json"
  entryPoint = "https"
  acmeLogging = true
  # caServer = "https://acme-v02.api.letsencrypt.org/directory"
  caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  [acme.dnsChallenge]
    provider = "digitalocean"
    delayBeforeCheck = 0
  [[acme.domains]]
    main = "*.mouv.com"
    sans = ["mouv.com"]

这是我的码头-stack.yml

version: '3.6'

services:
  traefik:
    image: traefik:latest
    networks:
      - mouv-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.toml:/traefik.toml
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    command: --api
    environment:
      DO_AUTH_TOKEN: "xxxxxxxxxxxxxxxx"
    deploy:
      placement:
        constraints: [node.role==manager]

  user:
    image: hollarves/users-mouv:latest
    networks:
      - mouv-net
    deploy:
      labels:
      - "traefik.port=8500"
      - "traefik.backend=user"
      - "traefik.docker.network=mouv-stack_mouv-net"
      - "traefik.enable=true"
      - "traefik.protocol=http"
      - "traefik.frontend.entryPoints=https"
      - "traefik.frontend.rule=Host:user.mouv.com"

  balances:
    image: hollarves/balances-mouv:latest
    networks:
      - mouv-net
    deploy:
      labels:
        - "traefik.port=8010"
        - "traefik.backend=balance"
        - "traefik.docker.network=mouv-stack_mouv-net"
        - "traefik.enable=true"
        - "traefik.protocol=http"
        - "traefik.frontend.entryPoints=https"
        - "traefik.frontend.rule=Host:balance.mouv.com"

  # this container is not part of traefik's network.
  firebase:
    image: hollarves/firebase-mouv:latest
    networks:
      - firebase-net

   [ ..... more containers ..... ]

networks:
  mouv-net:
    driver: overlay

    [ .... more networks .... ]

我还在日志中看到了这个错误。

mueve-stack_traefik.1.ndgfhj96lymx@node-1    | time="2019-02-19T13:15:46Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:50668: remote error: tls: unknown certificate authority"

这是：

mueve-stack_traefik.1.igy1ilch6wl1@node-1    | time="2019-02-19T13:22:00Z" level=info msg="legolog: [WARN] [mueve.com] acme: error cleaning up: digitalocean: unknown record ID for '_acme-challenge.mueve.com.' "

当我试图导航到我的一个子域服务时，我得到

subdomain.mouv.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for 9a11926d7857657613b65578dfebc69f.8066eec25224a58acabd968e285babdf.traefik.default.

在我的数字海洋域配置中，我只是添加了一个指向管理节点IP的A记录和一个CNAME记录作为*.mouv.com

Answer 1

让我们加密暂存(caServer = "https://acme-staging-v02.api.letsencrypt.org/directory")提供的证书不是有效的证书，这是正常的。

https://letsencrypt.org/docs/staging-environment/

暂存环境中间证书(“伪造的LE中间X1”)由浏览器/客户端信任存储中不存在的根证书颁发。如果您希望修改只测试的客户端以信任测试目的的暂存环境，则可以通过向测试信任存储区添加“伪造的LE Root X1”证书来做到这一点。重要事项:不要将暂存根或中间层添加到用于普通浏览或其他活动的信任存储中，因为它们不会被审核或保持在与我们的生产根相同的标准上，因此，除了测试之外，使用它们是不安全的。

要拥有有效的证书，您必须使用我们加密生产端点(caServer = "https://acme-v02.api.letsencrypt.org/directory")