A solution to the incredibly unhelpful "the router uses a non-existent resolver: letsencrypt" message

I am trying to get Lets Encrypt working. I kept getting "non existent resolver" issues, even though I ripple checked that the acme.json file was empty and in a location that traefik could write to.

I double checked that the certificatesResolvers.letsencrypt.* objects in my traefik.toml were correct and looked like other files that people had gotten to work.

I double checked that my dynamic/$SERVICE.toml file referenced the same certResolver = "letsencrypt" and yet i was still getting errors akin to the router $SERVICE@file uses a non-existent resolver: letsencrypt.

After a lot of testing and trial/error, here's what I was able to determine:

  • If the acme.json file exists but can't be opened, you will see a "permission denied" error in the log
  • if the acme.json file exists and can be opened, Traefik will attempt to parse the file. If the file does not contain the expected content, then the resolver will fail silently. Later, when Traefik parses the dynamic portions of your configuration, the routers will specify a resolver that silently failed to be created... hence the uses a non-existent resolver: errors.

The reason i was in this mess:

  • I have a bit of automation that creates an empty acme.json file very early on in the instance life cycle. This automation sets the appropriate permissions on the file as well as deposits the traefik config files.

This automation was putting a file with the content:

(no, your browser is not broken, that's an empty file in every sense of the word!)

on disk. Traefik was parsing this, not finding the info it expects, and then silently moving on.

As soon as i removed the empty json file and adjusted my systemd checks to not mark the service as failed if the file didn't exist on disk, traefik immediately started up and wrote the expected JSON to disk.

In the traefik 1.X days, an empty acme.json file was not a problem... the file was simply overwritten w/ . the correct content. No note of this behavior change is made in the migration guide, so i'm creating this post in the hopes that some other frustrated is shepherded this way by the SEO gods in a moment of need.

Replying so i can mark as solution:

TL;DR: Traefik 2.x does not indicate when the acme.json file could be opened but contains invalid data. In this case, the certificate resolver silently fails resulting in the cryptic "router uses non-existant resolver..." messages. Do not attempt to manage the JSON file outside of traefik; even a simple touch acme.json will break things w/o much of a clue in the logs.

1 Like

There is an open issue on this: https://github.com/traefik/traefik/issues/7414