当使用“tls-alpn-01”挑战让我们使用 traefik 在 kubernetes 中加密证书时,我收到“acme: error: 400 Timeout during connect”

编程问答 2022-05-23

问题描述

我按照 tutorial 使用 traefik 作为 Azure Kubernetes 服务 (AKS) 集群的入口和入口控制器。我正在使用 terraform 部署 traefik(版本 1.7.24)舵图。

resource "helm_release" "traefik" {
  name       = "traefik"
  namespace  = "traefik"
  repository = "https://charts.helm.sh/stable"
  chart      = "traefik"
  version    = "1.87.2"
  values = [<<EOF
loadBalancerIP: "50.100.200.300"
service:
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-resource-group: "aks-rg"
kubernetes:
  ingressClass: traefik
  ingressEndpoint: 
    useDefaultPublishedService: true
dashboard:
  enabled: true
  domain: traefik.mydomain.tld
  ingress: 
    annotations:
      kubernetes.io/ingress.class: traefik    
metrics:
  serviceMonitor:
    enabled: true
rbac:
  enabled: true
ssl:
  enabled: true
  enforced: true
acme:
  enabled: true
  email: admin@mydomain.tld
  staging: true
  tlsChallenge: true
  entrypoint: https
  ports: "443:443"
  challengeType: tls-alpn-01
  onHostRule: true
  domains:
    enabled: true
    domainsList: 
      - main: "mydomain.tld"
      - sans:
        - "traefik.mydomain.tld" 
EOF
  ]
}

DNS 记录正确指向 AKS 负载均衡器 IP。

当我检查 traefik 日志时,我可以看到“tls-alpn-01”挑战失败并显示以下错误

{"level":"error","msg":"Unable to obtain Acme certificate for domains \"mydomain.tld,traefik.mydomain.tld\" : unable to generate a certificatefor the domains [mydomain.tld traefik.mydomain.tld]: acme: Error -\u003e One or more domains had a problem:\n[mydomain.tld] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem),url: \n[traefik.mydomain.tld] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem),url: \n","time":"2021-02-26T02:32:05Z"}

完整日志如下:

{"level":"info","msg":"Using TOML configuration file /config/traefik.toml","time":"2021-02-26T02:31:38Z"}
{"level":"info","msg":"No tls.defaultCertificate given for https: using the first item in tls.certificates as a fallback.","msg":"Traefik version v1.7.24 built on 2020-03-25_04:34:11PM","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v1.7/basics/#collected-data\n","msg":"Preparing server traefik \u0026{Address::8080 TLS:\u003cnil\u003e Redirect:\u003cnil\u003e Auth:\u003cnil\u003e WhitelistSourceRange:[] WhiteList:\u003cnil\u003e Compress:false ProxyProtocol:\u003cnil\u003e ForwardedHeaders:0xc000851700} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s","msg":"Preparing server http \u0026{Address::80 TLS:\u003cnil\u003e Redirect:0xc0000b1b80 Auth:\u003cnil\u003e WhitelistSourceRange:[] WhiteList:\u003cnil\u003e Compress:true ProxyProtocol:\u003cnil\u003e ForwardedHeaders:0xc0008516a0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s","msg":"Starting server on :8080","msg":"Preparing server https \u0026{Address::443 TLS:0xc000431e60 Redirect:\u003cnil\u003e Auth:\u003cnil\u003e WhitelistSourceRange:[] WhiteList:\u003cnil\u003e Compress:true ProxyProtocol:\u003cnil\u003e ForwardedHeaders:0xc0008516c0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s","msg":"Starting provider configuration.ProviderAggregator {}","msg":"Starting server on :80","msg":"Starting server on :443","msg":"Starting provider *kubernetes.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"disablePasshostheaders\":false,\"EnablePasstLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"traefik\",\"IngressEndpoint\":{\"IP\":\"\",\"Hostname\":\"\",\"PublishedService\":\"traefik/traefik\"},\"ThrottleDuration\":0}","msg":"ingress label selector is: \"\"","msg":"Creating in-cluster Provider client","msg":"Starting provider *acme.Provider {\"Email\":\"admin@mydomain.tld\",\"AcmeLogging\":false,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"/acme/acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"RSA4096\",\"OnHostRule\":true,\"ondemand\":false,\"DNSChallenge\":null,\"HTTPChallenge\":null,\"TLSChallenge\":{},\"Domains\":[{\"Main\":\"mydomain.tld\",\"SANs\":[\"traefik.mydomain.tld\"]}],\"Store\":{}}","msg":"Testing certificate renew...","msg":"Server configuration reloaded on :8080","msg":"Server configuration reloaded on :80","msg":"Server configuration reloaded on :443","time":"2021-02-26T02:31:39Z"}
{"level":"info","msg":"Register...","time":"2021-02-26T02:31:42Z"}
{"level":"info","msg":"Updated status on ingress traefik/traefik-dashboard","time":"2021-02-26T02:31:55Z"}
{"level":"info","time":"2021-02-26T02:31:55Z"}
{"level":"error","time":"2021-02-26T02:32:05Z"}

我什至在 AKS LoadBalancer NSG(防火墙)中添加了“AllowAll”规则。但是 tls-alpn-01 验证仍然面临超时错误。没有生成 ssl 证书,我的网站使用的是认的 example.com 过期的 ssl 证书。

我可以确认 telnet 到 mydomain.tld 的端口 443 也可以正常工作。

PS:我不想对 ssl 证书使用“dns-01”质询,因为 dns 提供商没有让我们加密的 API。我不能使用“http-01”,因为这些是没有任何网络服务器的后端服务器。

非常感谢任何帮助。我也想知道 tls-alpn-01 挑战是如何运作的。

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

acmealpnkubernetes-helmssltraefik-ingress

相关问答

Selenium Web驱动程序和Java元素在(x,y)点处不可单击其他元素将获得点击?
Selenium Web驱动程序和Java。元素在(x,y)点处不可单击。其...
Python-如何使用点“” 访问字典成员?
Python-如何使用点“。” 访问字典成员?
Java 字符串是不可变的到底是什么意思?
Java 字符串是不可变的。到底是什么意思?
Java中的“ final”关键字如何工作?我仍然可以修改对象
Java中的“ final”关键字如何工作?(我仍然可以修改对象。...
“loop:”在Java代码中这是什么,为什么要编译?
“loop:”在Java代码中。这是什么,为什么要编译?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbcDriver发生异常为什么?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbc...