logo标签列表

Traefik与Service Fabric -- 连接Service Fabric服务器失败

azurecloudreverse-proxyazure-service-fabrictraefik
4

我已经在Azure Service Fabric集群上部署了Traefik,并使用以下配置:

# Enable Service Fabric configuration backend
[servicefabric]

# Service Fabric Management Endpoint
clustermanagementurl = "https://localhost:19080"

# Service Fabric Management Endpoint API Version
apiversion = "3.0"

insecureSkipVerify = true

然而,打开Traefik仪表板时,我得到了一个空白屏幕,因为它无法映射所有我的Fabric应用程序。
在我的一台VM上查看Traefik日志时,我反复看到这个错误: level=error msg="failed to connect to Service Fabric server Get https://localhost:19080/Applications/?api-version=3.0: x509: certificate is valid for .eastus.cloudapp.azure.com, not localhost on https://localhost:19080/Applications/?api-version=3.0"
我的Azure Service Fabric集群有一个由受信任的CA签名的SSL证书:Service Fabric management portal 我该如何解决这个问题?
编辑1:
如果有帮助的话,这是Traefik加载的配置(根据日志记录):
{
    "LifeCycle": {
        "RequestAcceptGraceTimeout": 0,
        "GraceTimeOut": 0
    },
    "GraceTimeOut": 0,
    "Debug": true,
    "CheckNewVersion": true,
    "AccessLogsFile": "",
    "AccessLog": null,
    "TraefikLogsFile": "",
    "TraefikLog": null,
    "LogLevel": "DEBUG",
    "EntryPoints": {
        "http": {
            "Network": "",
            "Address": ":80",
            "TLS": null,
            "Redirect": null,
            "Auth": null,
            "WhitelistSourceRange": null,
            "Compress": false,
            "ProxyProtocol": null,
            "ForwardedHeaders": {
                "Insecure": true,
                "TrustedIPs": null
            }
        }
    },
    "Cluster": null,
    "Constraints": [],
    "ACME": null,
    "DefaultEntryPoints": [
        "http"
    ],
    "ProvidersThrottleDuration": 2000000000,
    "MaxIdleConnsPerHost": 200,
    "IdleTimeout": 0,
    "InsecureSkipVerify": true,
    "RootCAs": null,
    "Retry": null,
    "HealthCheck": {
        "Interval": 30000000000
    },
    "RespondingTimeouts": null,
    "ForwardingTimeouts": null,
    "Docker": null,
    "File": null,
    "Web": {
        "Address": ":9000",
        "CertFile": "",
        "KeyFile": "",
        "ReadOnly": false,
        "Statistics": null,
        "Metrics": null,
        "Path": "/",
        "Auth": null,
        "Debug": false,
        "CurrentConfigurations": null,
        "Stats": null,
        "StatsRecorder": null
    },
    "Marathon": null,
    "Consul": null,
    "ConsulCatalog": null,
    "Etcd": null,
    "Zookeeper": null,
    "Boltdb": null,
    "Kubernetes": null,
    "Mesos": null,
    "Eureka": null,
    "ECS": null,
    "Rancher": null,
    "DynamoDB": null,
    "ServiceFabric": {
        "Watch": false,
        "Filename": "",
        "Constraints": null,
        "Trace": false,
        "DebugLogGeneratedTemplate": false,
        "ClusterManagementURL": "https://localhost:19080",
        "APIVersion": "3.0",
        "UseCertificateAuth": false,
        "ClientCertFilePath": "",
        "ClientCertKeyFilePath": "",
        "InsecureSkipVerify": true
    }
}

编辑 2:

有人建议使用我集群的远程地址而不是localhost,这样做会导致不同的错误:

提供程序连接错误:无法连接到Service Fabric服务器。 获取https://<hidden>.eastus.cloudapp.azure.com:19080/Applications/?api-version=3.0时出错:流错误:流ID 1;在https://<hidden>.eastus.cloudapp.azure.com:19080/Applications/?api-version=3.0上需要HTTP_1_1_REQUIRED;656.765021毫秒后重试

1
如果您的集群配置为使用证书连接,则必须设置 UseCertificateAuth: true 并指定证书所在位置。 - Diego Mendes
哪个文档页面指定了这个? 我应该使用什么属性来指定证书? 我可以内联指定证书吗?还是必须是文件路径? - johni
@johni 你是怎么查看日志的? - droid-zilla
3个回答
2

感谢Diego在我的问题下的评论,我通过以下添加成功解决了这个问题。

问题是什么?

  1. My SF cluster is secured, requiring a client certificate to login -- which was not specified in the Traefik TOML file. (wish the error logged was more informative)

  2. Looking at the Traefik logs, specifically on the SF part (look for the trace starting with Starting provider *servicefabric.Provider :

    "Watch": false,
"Filename": "",
"Constraints": null,
"Trace": false,
"DebugLogGeneratedTemplate": false,
"ClusterManagementURL": "https://localhost:19080",
"APIVersion": "3.0",
"UseCertificateAuth": false,      <-------- Important
"ClientCertFilePath": "",         <-------- Important
"ClientCertKeyFilePath": "",      <-------- Important
"InsecureSkipVerify": false
    • UseCertificateAuth -- indicates whether to use client certificate when Traefik queries the cluster's management endpoint.
    • ClientCertFilePath -- the path of the file containing the public key of the client certificate.
    • ClientCertKeyFilePath -- the path of the file containing the private key of the client certificate.

(这两个路径都应相对于traefik.exe

InsecureSkipVerify

Traefik的SF配置文件(如上所示)包括一个名为InsecureSkipVerify的设置。

  • InsecureSkipVerify -- 如果设置为false,则Traefik将拒绝与管理端点的连接,除非SSL证书由受信任的CA签名。
  • 如果证书为远程地址签名,而Traefik将https://localhost用作集群的端点,则可能会出现问题--此时Traefik会打印类似于以下错误:

failed to connect to Service Fabric server Get https://localhost:19080/Applications/?api-version=3.0: x509: certificate is valid for .eastus.cloudapp.azure.com, not localhost

要克服这个问题,您可以:

  • 设置InsecureSkipVerify = true并重新部署。
  • 将管理端点设置为远程地址:clustermanagementurl = "https://<hidden>.eastus.cloudapp.azure.com:19080"

再次感谢Diego给我提供了提示,让我理解并分享了上述解释。

2
Johni - 你能否澄清你最终使用的设置,以使它工作?我不清楚你是否设置了serviceFabric.tls设置(证书、密钥、insecureskipverify),以及其他一些设置“UseCertificateAuth”、“ClientCertFilePath”、“ClientCertKeyFilePath”。我一直在与Traefik进行斗争,但就连我的也无法连接。 - Andrew Moreno
2
我知道这是一个旧帖子,但我们刚刚遇到了完全相同的情况,而且这是我唯一看到提到客户端设置的地方。以下是最终为我们工作的提供程序部分: "Original Answer"(最初的回答)。
################################################################
# Service Fabric provider
################################################################

# Enable Service Fabric configuration backend
[servicefabric]

# Service Fabric Management Endpoint
clustermanagementurl = "https://localhost:19080"
# Note: use "https://localhost:19080" if you're using a secure cluster

# Service Fabric Management Endpoint API Version
apiversion = "3.0"

# Enable TLS connection.
#
# Optional
#
[serviceFabric.tls]
  cert               = "certs/servicefabric.crt"
  key                = "certs/servicefabric.key"
  insecureskipverify = true

UseCertificateAuth    =  true
ClientCertFilePath    = "certs/traefik.crt"
ClientCertKeyFilePath = "certs/traefik.key"
InsecureSkipVerify    =  true
UseCertificateAuth = true 对我很有帮助。但是你为什么有不同的crt和key文件呢? - officer
1
servicefabric.crt 是我们的Digicert/CA服务器证书,而traefik.crt是客户端认证证书。我们在服务群集节点之间运行gMSA安全性,并使用客户端认证来进行访问安全性。 - Scott McCollough
@ScottMcCollough 只是确认一下 - servicefabric.crt和key是引用ClusterConfig中'ServerCertificateCommonNames'下的密钥,而traefik.crt和key是引用ClusterConfig中'ClientCertificateCommonNames'下的密钥(并将admin设置为false)吗? - Kevek
0
这个 Diego 不起作用(至少在最新的 Traefik 版本上不起作用),原因是:failed to connect to Service Fabric server Get https://localhost:19080/Applications/?api-version=3.0: x509: certificate is valid for <hidden>.eastus.cloudapp.azure.com, not localhost。但是,通过设置 ClientCertKeyFilePathClientCertFilePath 设置,我成功地让它工作了,感谢您的原始评论。 - johni
正如错误提示所示,它失败是因为 ClusterManagementURL: https://localhost:19080 应该是你的群集 URL,本地群集默认没有安全性。 - Diego Mendes
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接