apache Traefik ssl containers -“500内部服务器错误”，原因如下：x509：证书对127.0.0.1，：：1有效，而不是172.x.x.x

iibxawm4 于 2022-11-16 发布在 Apache

关注(0)|答案(2)|浏览(163)

我正在使用traefik：v2.8.2和在端口80和443上运行Apache的容器。Apache将端口80请求重定向到端口443。
下面是我的traefik.yml文件-

# configure logs
log:
  level: DEBUG # Set to 'DEBUG' for troubleshooting

# configure entry points
entryPoints:
  web:
    address: ":80"
    http:
      redirections: # http to https redirection
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
  postgres:
    address: ":5432"
# configure providers
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock" # connection to the docker daemon
    exposedByDefault: false # ignore containers without label 'traefik.enable=true'
  file:
    directory: "/etc/traefik/conf" # directory for dynamic traefik configuration files
    watch: true # changes are processed immediately

# configure api service
api:
  dashboard: true # enable the traefik dashboard

下面是我的tls配置

tls:
  certificates:
    - certFile: "/etc/traefik/certs/knandan-cert.pem"
      keyFile: "/etc/traefik/certs/knandan-key.pem"

下面是我的docker-compose.yml文件

version: "3.8"

services:
  traefik:
    networks:
      - d_local
    image: traefik:v2.8.2
    container_name: "d_traefik"
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    command:
      - --serverstransport.insecureskipverify=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro 
      - ./certs/:/etc/traefik/certs/:ro 
      - ./static_conf.yml:/traefik.yml:ro 
      - ./conf/:/etc/traefik/conf/:ro 
    labels:
      - traefik.enable=true 
      - traefik.docker.network=d_local
      - traefik.http.routers.traefik.entrypoints=websecure 
      - traefik.http.routers.traefik.rule=Host(`knandan.app`) 
      - traefik.http.routers.traefik.tls=true 
      - traefik.http.routers.traefik.service=api@internal 
      - traefik.http.services.traefik.loadbalancer.server.port=8080

  d_apiapp:
    build:
      context: apiapp
      dockerfile: .docker/Dockerfile
    container_name: apiapp
    restart: unless-stopped
    image: apiapp
    domainname: api.knandan.app
    ports:
      - "8080:80"
    networks:
      - d_local
    volumes:
      - "./apiapp:/srv/app"
      - "./certs:/etc/ssl/crt"
    labels:
      - traefik.enable=true
      - traefik.http.routers.apiapp.entrypoints=websecure
      - traefik.http.routers.apiapp.rule=Host(`api.knandan.app`)
      - traefik.http.routers.apiapp.tls=true
      - traefik.http.services.apiapp.loadbalancer.server.port=443
      - traefik.http.services.apiapp.loadbalancer.server.scheme=https
networks:
  d_local:
    external: true

当我运行docker-compose up时，我可以看到traefik Jmeter 板。但当我打开api.knandan.app时，我得到内部服务器错误
检查日志后，我知道一些SSL验证失败，下面是错误-

time="2022-08-18T07:04:09Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.18.0.2"

我注意到traefik正在容器ip上运行我的容器，而不是在主机名上运行

level=debug msg="Creating server 0 https://172.18.0.2:443" routerName=apiapp@docker serverName=0 serviceName=apiapp entryPointName=websecure

有人能帮我解决这个问题吗？谢谢。
下面是我的apache配置-它在traefik后面运行，以运行Laravel应用程序

000-default.conf

000-default-ssl.conf

apache

来源：https://stackoverflow.com/questions/73398784/traefik-ssl-containers-500-internal-server-error-caused-by-x509-certificat

2条答案

按热度按时间

biswetbf1#

可能Traefik使用的是默认的自动签名证书，我猜自定义证书不支持通配符证书。
因此，请尝试在配置文件中添加默认证书：

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/knandan-cert.pem
        keyFile: /etc/traefik/certs/knandan-cert.key

下面是一个有用的link
您还应该检查apiapp卷中指示的目录是否正确，如果apiapp是基于ubuntu的映像，它应该是/etc/ssl/certs而不是/etc/ssl/crt。

赞(0）回复(0）举报 2022-11-16

vh0rcniy2#

不要在容器名称中使用下划线。容器名称将用作无效的主机名。

赞(0）回复(0）举报 2022-11-16