我正在尝试将Traefik配置为在DigitalOcean服务器上运行的docker容器的代理。
这是我的 Traefik 容器配置:
version: '2'
services:
traefik:
image: traefik
restart: always
command: --docker
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/traefik.toml
- $PWD/acme.json:/acme.json
container_name: traefik
environment:
DO_AUTH_TOKEN: abcd
labels:
- traefik.frontend.rule=Host:monitor.example.com
- traefik.port=8080
networks:
proxy:
external: true
还有特雷菲克·
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:secretpassword"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "lakshmi@example.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
当我尝试访问 https://monitor.example.com 时,出现此错误:
traefik | time="2018-05-29T15:35:32Z" level=error msg="Unable to obtain ACME certificate for domains "monitor.example.com" detected thanks to rule "Host:monitor.example.com" : cannot obtain certificates: acme: Error -> One or more domains had a problem:n[monitor.example.com] Error presenting token: HTTP 403: forbidden: You do not have access for the attempted action.n"
我已经给出了一个有效的DO令牌,并 monitor.example.com 指向运行Traefik的VM。我错过了任何步骤吗?
我得到了403,因为Traefik试图使用read-only令牌在我的DigitalOcean域中为ACME DNS挑战编写TXT条目。我将其更改为read-write令牌,它工作正常。
对于遇到此问题的其他任何人,请确保 acme.json 具有 600 个权限。不要自己创建或触摸acme.json。让Traefik创建它。创建 Pod 后,请检查 acme.json 上的权限。 我发现的问题是 Traefik 创建了 acme.json 并将其设置为 600。运行升级后,acme.json 更改为 660,并开始出现"未知解析器 letsencrypt"错误。修复是必须取消注释 Traefik Helm 图表中 values.yml 中的"initContainers"行。基本上,它在启动前将权限设置为600。笨拙但有效。
deployment:
enabled: true
# Can be either Deployment or DaemonSet
kind: Deployment
replicas: 1
annotations: {}
labels: {}
podAnnotations: {}
podLabels: {}
additionalContainers: []
volumeMounts:
- name: csi-pvc
initContainers:
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /data/*"]
volumeMounts:
- name: csi-pvc
mountPath: /data
dnsPolicy: ClusterFirstWithHostNet
imagePullSecrets: []