ACME challenge not specified errors for configured resolver

Traefik Traefik v3 (latest)
1

after starting up traefik. I have the following in the log

2025-09-19T20:45:05Z INF Starting provider aggregator *aggregator.ProviderAggregator
2025-09-19T20:45:05Z INF Starting provider *file.Provider
2025-09-19T20:45:05Z INF Starting provider *traefik.Provider
2025-09-19T20:45:05Z INF Starting provider *acme.ChallengeTLSALPN
2025-09-19T20:45:05Z INF Starting provider *docker.Provider
2025-09-19T20:45:05Z INF Starting provider *acme.Provider
2025-09-19T20:45:05Z INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme
2025-09-19T20:45:06Z INF Error renewing certificate from LE : {Main:photos.mydomain SANs:} error="ACME challenge not specified, please select TLS or HTTP or DNS Challenge" acmeCA=https://acme->
2025-09-19T20:45:06Z INF Error renewing certificate from LE : {Main:tasks.mydomain SANs:} error="ACME challenge not specified, please select TLS or HTTP or DNS Challenge" acmeCA=https://acme-v>
2025-09-19T20:45:07Z INF Error renewing certificate from LE : {Main:keys.mydomain SANs:} error="ACME challenge not specified, please select TLS or HTTP or DNS Challenge" acmeCA=https://acme-v0>
2025-09-19T20:45:07Z INF Error renewing certificate from LE : {Main:online.mydomain SANs:} error="ACME challenge not specified, please select TLS or HTTP or DNS Challenge" acmeCA=https://acme->
2025-09-19T20:45:07Z INF Error renewing certificate from LE : {Main:office.mydomain SANs:} error="ACME challenge not specified, please select TLS or HTTP or DNS Challenge" acmeCA=https://acme->

Traefik is running as a docker on a VM and has been working well for me for over a year, including retrieving valid SSL certs from letsencrypt the whole time. This error is new since the upgrade to 3.5.2 from 3.5.1 and I’m not sure if I’ve done something to break this or 3.5.2 did.

my traefik is setup in docker with the following compose file

services:
  traefik:
    image: traefik:latest
    restart: always
    container_name: traefik
    deploy:
      resources:
        limits:
          cpus: '0.10'
          memory: 256M
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    command:
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--api.debug=true"
# logs
      - "--log.level=INFO"
      - "--log.filePath=/data/logs/traefik.log"
      - "--accesslog=true"
      - "--accesslog.filePath=/data/logs/access.log"
      - "--accesslog.fields.names.StartUTC=drop"
# providers
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.filename=/dynamic.yaml"
      - "--providers.docker.network=http"
      - "--entryPoints.http.address=:80"
      - "--entryPoints.https.address=:443"
# disable readTimeout 
      - "--entryPoints.https.transport.respondingTimeouts.readTimeout=0s"
# certificate resolver -> myresolver
      - "--certificatesResolvers.myresolver.acme.email=<email address>"
      - "--certificatesResolvers.myresolver.acme.storage=/data/acme.json"
      - "--certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"

    environment:
      - TZ=America/Los_Angeles
      - CONTAINER_NAME=traefik
      - CONTAINER_ENABLE_LOGSHIPPING=FALSE
      - CONTAINER_ENABLE_MONITORING=FALSE

      - LETSENCRYPT_EMAIL=<email address>
      - LETSENCRYPT_CHALLENGE=DNS
      - LETSENCRYPT_DNS_PROVIDER=cloudflare

      - CF_API_EMAIL=<email address>
      - CF_API_KEY=<sekrit goes here>

      - LETSENCRYPT_DNS_DOMAIN1_MAIN=mydomain.com

      - SERVER_TRANSPORT_INSECURE_SKIP_VERIFY=TRUE
    volumes:
      - ./data:/data
      - ./config:/etc/traefik
      - ./logs:/data/logs
      - /var/run/docker.sock:/var/run/docker.sock
      - ./dynamic.yaml:/dynamic.yaml
    networks:
      - http



networks:
  http:
    external: true

You can see that dnschallenge is in the commands and the environment variables have worked in the past. Is it my config or is it something new in 3.5.2 (which I can’t seem to see in the release notes)? That is to say until recently this was a perfectly working setup.
Any suggestions are welcome.
I struggle to understand all the labels and commands in traefik so forgive me if I’ve done something weird here.
Thank you for any help

2

So… I seem to have solved this by adding the following two lines to the commands

  - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
  - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
After finding the following 2 articles.

* This one about basic setup from June of 2025
https://www.linkedin.com/pulse/configuring-traefik-reverse-proxy-cloudflare-dns-acme-riad-reza-shuvo-htpoc/ and 
* this one in the forums solving a related problem
https://community.traefik.io/t/failing-to-get-certs-over-dns-challenge/25653/2
3

Yes, you mixed Traefik static config in command and env, that does not work, decide for one.

4

Can you help me understand the difference between static and dynamic configurations. Or point me to documentation that will help me understand.
I run a dinky homelab primarily for me alone and don't have a problem restarting the service every time I change my mind. I get this isn't right but understanding the difference between dynamic and static config has baffled me which is why this is a bit of a scrambled mess.
I'm entirely self-taught and so are the vast majority of the sources I've used for the organic process of building this config from a beginning a little over 2 years ago. If it worked I was happy, ya know.
I'm doing the homework now and will see if I can make the transition to a set of files that won't break what I've already got working.
Could I trouble you to correct me if I pull the commands here and label them static vs dynamic?

5

Traefik static config is mostly entrypoints, certResolver, log. And providers. You need to define in traefik.yml, command: or env var.

Traefik dynamic config is mostly routers, middlewares, services. It's loaded via providers in static config. Most common are dynamic config files or using labels on container/services. You can use multiple. And config can change during runtime.