为用于码头集装箱内部的SSL证书生成私钥
为用于码头集装箱内部的SSL证书生成私钥
提问于 2020-09-19 18:32:22
我正在从事一个运行Docker并有3个容器的项目:
- Django
- PostgreSQL
- traefik
现在我要生成一个私钥来向我的网站添加SSL证书,问题是我应该在哪里生成私钥?
在运行码头的主服务器内?
还是在Django容器里?
还是在Traefik集装箱里?
我使用的是python:3.6-alpine trafik: for trafik& Django的
如果应该在容器中生成私钥,那么应该在容器内使用什么命令行来生成私钥?
实际上,我已经构建了private.key和certification.crt文件,在traefik.toml文件中引用了它们,并得到了以下错误:
failed to load X509 key pair: tls: failed to find any PEM data in certificate input这就是为什么我认为问题在于我在主服务器中生成的private.key,而不是在任何容器中。
如果您想了解更多信息,请在traefik.toml文件中使用以下配置:
logLevel = "INFO"
defaultEntryPoints = ["http", "https"]
# Entrypoints, http and https
[entryPoints]
# http should be redirected to https
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
# https is the default
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/ new_cert_v2.chained.crt"
keyFile = "/certs/hrattendence_gs-group_nl.key"
[file]
[backends]
[backends.django]
[backends.django.servers.server1]
url = "http://django:5000"
[frontends]
[frontends.django]
backend = "django"
passHostHeader = true
[frontends.django.headers]
HostsProxyHeaders = ['X-CSRFToken']
[frontends.django.routes.dr1]
rule = "Host:IP here"以下是完整的错误消息:
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Using TOML configuration file /etc/traefik/traefik.toml"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="No tls.defaultCertificate given for https: using the first item in tls.certificates as a fallback."
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Traefik version v1.7.16 built on 2019-09-13_01:12:20PM"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=error msg="failed to load X509 key pair: tls: failed to find any PEM data in certificate input"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0xc000b04b40 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0008fba60} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Preparing server https &{Address::443 TLS:0xc0007797a0 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0008fba80} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=error msg="Unable to add a certificate to the entryPoint \"https\" : unable to generate TLS certificate : tls: failed to find any PEM data in certificate input"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Starting server on :443"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Starting server on :80"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Starting provider *file.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Directory\":\"\",\"TraefikFile\":\"/etc/traefik/traefik.toml\"}"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=error msg="failed to load X509 key pair: tls: failed to find any PEM data in certificate input"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Server configuration reloaded on :80"
traefik_1_623bf12389b8 | time="2020-09-19T14:24:35Z" level=info msg="Server configuration reloaded on :443"回答 1
Stack Overflow用户
发布于 2020-09-19 19:36:24
您应该在Docker之外生成TLS证书和私钥,使用您通常使用的任何工具。这可以是openssl命令行工具,也可以是像亚马逊的证书管理器( Certificate )或LetsEncrypt这样的托管工具,也可以是一个更广泛的凭证管理工具,比如Hashicorp的Vault。您可能没有在映像中创建和正确签名证书的工具,这是可以的。
拥有(签名)证书和私钥后,可以在启动时使用Docker绑定挂载将它们注入容器。例如,如果您使用Docker启动这三个容器,并且在同一个目录中有PEM文件和私钥,则可以设置
services:
traefik:
volumes:
- ./certs:/certs将当前目录的certs子目录装入容器中的/certs。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/63972111
复制相关文章
相似问题
腾讯云开发者
