Я настраиваю экземпляр gitea с docker и traefik. Я бы хотел, чтобы он был защищен с помощью зашифрованного сертификата.
My docker -compose.yml выглядит следующим образом (с достаточным количеством комментариев, я надеюсь):
version: '3'
services:
reverse-proxy:
# The official v2.0 Traefik docker image
image: traefik:v2.0
command:
# Only for development environment
- "--log.level=DEBUG"
- "--log.filePath=/var/log/traefik.log"
- "--api.insecure=true"
# Get Docker as the provider
- "--providers.docker=true"
# Set the ports for the entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Set letsencrypt as the certificate provider
- "--certificatesresolvers.le.acme.email=myemail@lutix.org"
- "--certificatesresolvers.le.acme.storage=/acme.json"
- "--certificatesresolvers.le.acme.tlschallenge=true"
# let's encrypt staging server
- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock" # So that Traefik can listen to the Docker events
- "./volumes/traefik/acme.json:/acme.json"
- "./volumes/traefik/traefik.log:/var/log/traefik.log"
gitea:
image: gitea/gitea
depends_on:
- "mysql"
- "reverse-proxy"
- "phpmyadmin"
ports:
- "10022:22"
volumes:
- "./volumes/gitea:/data"
labels:
# WARNING: 2 routers by protocol http and https
- traefik.http.routers.gitea-router-http.rule=Host(`gitea.lutix.org`)
- traefik.http.middlewares.https-redirection.redirectscheme.scheme=https
- traefik.http.routers.gitea-router-http.middlewares=https-redirection
- traefik.http.routers.gitea-router-https.rule=Host(`gitea.lutix.org`)
- traefik.http.routers.gitea-router-https.tls=true
- traefik.http.routers.gitea-router-https.entrypoints=websecure
- traefik.http.routers.gitea-router-https.tls.certresolver=le
- traefik.http.services.gitea-service.loadbalancer.server.port=3000
Я думал мои настройки были правильными, так как я вдохновлял себя на множество рессурсов / форумов / stackoverflow. Но в лог-файле traefik все еще есть сообщение, которое я не могу решить:
time="2020-02-03T05:26:29Z" level=debug msg="Domains
[\"gitea.lutix.org\"] need ACME certificates generation for domains \"gitea.lutix.org\"." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Loading ACME certificates [gitea.lutix.org]..." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Building ACME client..." providerName=le.acme
time="2020-02-03T05:26:29Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="Using TLS Challenge provider." providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Obtaining bundled SAN certificate"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: use tls-alpn-01 solver"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Trying to solve TLS-ALPN-01"
time="2020-02-03T05:26:33Z" level=debug msg="TLS Challenge Present temp certificate for gitea.lutix.org" providerName=acme
, пока все хорошо,
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54496: remote error: tls: bad certificate"
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54500: remote error: tls: bad certificate"
беспорядок начинается !
time="2020-02-03T05:26:44Z" level=debug msg="TLS Challenge CleanUp temp certificate for gitea.lutix.org" providerName=acme
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870" time="2020-02-03T05:26:45Z" level=error msg="Unable to obtain ACME certificate for domains \"gitea.lutix.org\": unable to generate a certificate for the domains [gitea.lutix.org]: acme: Error -> One or more domains had a problem:\n[gitea.lutix.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested gitea.lutix.org from 51.178.81.120:443. Received 1 certificate(s), first certificate had names \"76d2ebffd72f6bb3d856428cc95f40dd.e9be2fb72c5ca69e4dcd01423ff5db73.traefik.default, traefik default cert\", url: \n" providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:27:08Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:08Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54504: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54512: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54516: remote error: tls: bad certificate"
В чем может быть причина, по которой я сталкиваюсь с этой ошибкой TLS? Что касается брандмауэра, все правила были отключены ради теста. Что я мог сделать, чтобы получить больше информации о том, что не удалось при рукопожатии TLS? Должен ли я переключиться на другой вызов, такой как http или dns?