Rus*_*our 5 amazon-route53 traefik
我的本地域名是home.turtlesystems.co.uk。我在此域内的本地Docker Swarm集群上使用Traefik。
由于没有对群集的直接Internet访问,因此我无法对Lets Encrypt使用HTTPS挑战,因此我尝试使用Route53作为DNS提供程序。
我在Route53中为我的主域设置了一个区域,该域是turtlesystems.co.uk我拥有的子域。
我的traefik.toml档案看起来像:
debug = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Enable ACME (Let's Encrypt) automate SSL
[acme]
email = "xxxxxxxxxxxxxxxxxxxx"
storage = "/etc/traefik/acme.json"
dnsProvider = "route53"
entryPoint = "https"
onDemand = true
onHostRule = true
acmeLogging = true
[[acme.domains]]
main = "home.turtlesystems.co.uk"
# Allow access to the Web UI
[web]
address = ":8080"
# Configure how docker will be run
[docker]
endpoint = "unix://var/run/docker.sock"
domain = "traefik"
watch = true
exposedbydefault = false
swarmmode = true
我为Portainer创建了一个服务,该服务具有以下Traefik标签:
traefik.port=9000
traefik.docker.network=traefik-net
traefik.frontend.rule=Host:turtle-host-03.home.turtlesystems.co.uk;PathStripPrefix:/portainer
traefik.backend=portainer
traefik.enable=true
traefik.backend.loadbalancer=wrr
正如我acmeLogging在traefik.toml文件中启用的那样,我希望获得有关正在发生或未发生的事情的更多信息,但是我仅获得以下INFO日志:
reverse_proxy.1.rqebssg613a8@turtle-host-03 | legolog: 2017/12/15 13:16:32 [INFO][home.turtlesystems.co.uk] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/z52B_D2iHeITPqT_7K-Z-Y-ieir3VT4l1qGW6tShrd8
reverse_proxy.1.rqebssg613a8@turtle-host-03 | legolog: 2017/12/15 13:16:32 [INFO][turtle-host-03.home.turtlesystems.co.uk] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/OxWRpDR3KZm4E0nGngVSRZgF3iE2nhQ3jlNaWtxbd08
reverse_proxy.1.rqebssg613a8@turtle-host-03 | legolog: 2017/12/15 13:16:32 [INFO][home.turtlesystems.co.uk] acme: Could not find solver for: tls-sni-01
reverse_proxy.1.rqebssg613a8@turtle-host-03 | legolog: 2017/12/15 13:16:32 [INFO][home.turtlesystems.co.uk] acme: Trying to solve DNS-01
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:06Z" level=debug msg="Look for provided certificate to validate [turtle-host-03.home.turtlesystems.co.uk]..."
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:06Z" level=debug msg="Look for provided certificate to validate [turtle-host-03.home.turtlesystems.co.uk]..."
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:06Z" level=debug msg="No provided certificate found for domains [turtle-host-03.home.turtlesystems.co.uk], get ACME certificate."
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:06Z" level=debug msg="Challenge GetCertificate turtle-host-03.home.turtlesystems.co.uk"
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:06Z" level=debug msg="No provided certificate found for domains [turtle-host-03.home.turtlesystems.co.uk], get ACME certificate."
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:06Z" level=debug msg="Challenge GetCertificate turtle-host-03.home.turtlesystems.co.uk"
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:07Z" level=debug msg="Look for provided certificate to validate [turtle-host-03.home.turtlesystems.co.uk]..."
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:07Z" level=debug msg="No provided certificate found for domains [turtle-host-03.home.turtlesystems.co.uk], get ACME certificate."
reverse_proxy.1.rqebssg613a8@turtle-host-03 | time="2017-12-15T13:17:07Z" level=debug msg="Challenge GetCertificate turtle-host-03.home.turtlesystems.co.uk"
reverse_proxy.1.rqebssg613a8@turtle-host-03 | legolog: 2017/12/15 13:17:10 [INFO][home.turtlesystems.co.uk] Checking DNS record propagation using [127.0.0.11:53]
可以看出,它正在尝试使用DNS质询,但是我没有获得证书。
当我第一次进行所有设置时,它确实完成了所有工作,实际上我写了一个博客,但现在却没有。查看我的AWS账户时,我可以看到AWS_ACCESS_KEY正在使用为此目的而创建的I,但是似乎没有任何内容输入到区域中。
我正在传递AWS_ACCESS_KEY,AWS_SECRET_ACCESS_KEY并将AWS_REGION其作为环境变量传递到Portainer服务中。
我是否可以打开更多日志记录?无论如何,是否可以在AWS中查看Route 53的日志?
更新资料
在解决这个问题之后,我注意到Traefik试图127.0.0.11:53用作DNS服务器,在其上尝试检查是否已创建TXT记录。
然后--dns,我将其添加--dns-search到Traefik服务中,但这对Trafik用于DNS的地址没有任何影响。我可以在Traefik中设置其他选项来强制执行此操作吗?
小智 6
转到 AWS,创建 AIM 自定义策略 粘贴以下 JSON 作为策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:GetChangeDetails",
"route53:ListHostedZones"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"iam:UploadServerCertificate"
],
"Resource": [
"*"
]
}
]
}
将策略命名为“dnsChallenge”(或您喜欢的任何名称)
复制新用户的密钥,因为您需要将它们设置为环境变量
复制要使用通配符的域的托管区域 ID。
定义以下环境变量并确保它们在 traefik 启动时可用。
export AWS_ACCESS_KEY_ID=*****************
export AWS_SECRET_ACCESS_KEY=**********************************
export AWS_HOSTED_ZONE_ID=*************
编辑 traefik.toml
[acme] # Automatically add Let's Encrypt Certificate.
email = "youremail@gmail.com"
storage= "acme.json" # Change to fully qualified and exposed path for docker
entryPoint = "https"
OnHostRule = false
acmelogging = true
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.yourdomain.com"
sans = ["yourdomain.com"]
从那里开始从命令行运行它并观察消息是个好主意..
添加 bhlowe 的回答,我将使用更受限制的 IAM 配置文件:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ListHostedZonesByName"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<INSERT_YOUR_HOSTED_ZONE_ID_HERE>"
]
}
]
}
| 归档时间: |
|
| 查看次数: |
2597 次 |
| 最近记录: |