Docker-compose with let's encrypt: TLS Challenge

本指南旨在演示如何通过让我们加密TLS挑战来创建证书,以便在Traefik公开的简单服务上使用https.
请同时阅读基本示例,以获取有关如何公开此类服务的详细信息.

Prerequisite

对于TLS挑战,您将需要:

  • 可公开访问的主机,允许在端口443上安装了docker&docker-compose的连接.
  • 具有要公开指向该主机的域的DNS记录.

Setup

  • 使用以下内容在远程服务器上创建一个docker-compose.yml
version: "3.3"

services:

  traefik:
    image: "traefik:v2.0.0-rc3"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
      #- "--certificatesresolvers.mytlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "[email protected]omain.com"
      - "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "containous/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=mytlschallenge"
  • traefik服务的certificatesresolvers.mytlschallenge.acme.email命令行参数中,用您自己的电子邮件替换[email protected] .
  • whoami服务的traefik.http.routers.whoami.rule标签中,用您自己的域替换whoami.mydomain.com .
  • (可选)如果要测试/调试,请取消注释以下几行:

    #- "--log.level=DEBUG"
    #- "--certificatesresolvers.mytlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
  • 在创建前一个文件的文件夹中运行docker-compose up -d .

  • 请稍等片刻,然后访问https://your_own_domain以确认一切正常.

Note

如果取消注释acme.caserver行,则会收到SSL错误,但是如果显示证书并看到它是由Fake LE Intermediate X1发出的,则表示一切都很好. (这是让我们加密使用的暂存环境中间证书). 现在,您可以安全地注释acme.caserver行,删除letsencrypt/acme.json文件,然后重新启动Traefik以颁发有效证书.

Explanation

基本示例之间发生了什么变化:

  • 我们将web入口点替换为https流量:
command:
  # Traefik will listen to incoming request on the port 443 (https)
  - "--entrypoints.websecure.address=:443"
ports:
  - "443:443"
  • 我们配置Https,让我们加密挑战:
command:
  # Enable a tls challenge named "mytlschallenge"
  - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
  • 我们添加一个卷来存储我们的证书:
volumes:
  # Create a letsencrypt dir within the folder where the docker-compose file is
  - "./letsencrypt:/letsencrypt"

command:
  # Tell to store the certificate on a path under our volume
  - "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
  • 我们配置whoami服务,以告知Traefik使用我们刚刚配置的名为mytlschallenge的证书解析器:
labels:
  # Uses the Host rule to define which certificate to issue
  - "traefik.http.routers.whoami.tls.certresolver=mytlschallenge"