{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Emotional °昔 的问题《Issues getting new httpChallenge working in Traefi》','https://www.manongdao.com/q-868893.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In trying to upgrade to the latest traefik version to be able to generate TLS certs from LetsEncrypt, I've come across a problem when it comes to cert generation time.
This worked previously on traefik:1.4 using the acme.ondemand flag and the other settings (minus the httpChallenge keys of course).
Config:
traefik:
image: traefik:1.5.0-rc5-alpine
ports:
- 80:80/tcp
- 443:443/tcp
command:
- --web
- --rancher
- --rancher.metadata
- --acme
- --acme.email=my@email.com
- --acme.onhostrule
- --acme.httpchallenge
- --acme.httpchallenge.entrypoint=http
- --acme.entrypoint=https
- --acme.storage=/data/acme.json
- --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
- --entryPoints=Name:https Address::443 TLS
- --accesslog
- --accesslog.format=json
- --debug
Openssl s_client result of not-yet-existant cert
CONNECTED(00000003)
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=TRAEFIK DEFAULT CERT
i:/CN=TRAEFIK DEFAULT CERT
---
...
Verify return code: 21 (unable to verify the first certificate)
Traefik logs
time="2018-01-16T19:17:49Z" level=debug msg="Looking for provided certificate to validate [mysite.com]..."
time="2018-01-16T19:17:49Z" level=debug msg="No provided certificate found for domains [mysite.com], get ACME certificate."
time="2018-01-16T19:17:49Z" level=debug msg="Looking for an existing ACME challenge for mysite.com..."
time="2018-01-16T19:17:49Z" level=debug msg="No certificate found or generated for mysite.com"
Attempting to narrow down to just a toml file with the same config to determine if that's the problem or not.
I found that in the end, the problem was actually that I didn't have a container matching the host that I was testing against, running in my cluster.
I was using
openssl s_client -connect host:443 -servername mysite.com, however I didn't realize that in the cluster I was targeting, there was no container with a label oftraefik.frontend.rule=Host:mysite.com.Therefore, I was just getting a 404 from traefik's perspective, which ended up using the default traefik cert. When curl'ing - I never got the 404 since I never got past the TLS handshake.
The
onHostRuletry to challenge an ACME cert when you have a HostRule on a frontend with the same Entrypoint as ACME EntryPoint.When new frontend are loaded, they use the entrypoint you specify or the
defaultEntrypoints.Here: Your
defaultEntrypointsishttpYour ACME EntryPoint ishttpsSo when your frontent is created, it is assigned to
http, that's why you don't have any challenge.Then, your logs only say that when you try to access https://example.com, Træfik try to find certificate in already challenged ACME cert.
In order to fix, you need to specify
defaultEntrypointswithhttps(andhttpif you need it)You can try to add the snippet end of
traefik.toml, it may help you