Acme config empty, acme.json stays empty

Traefik Traefik v2 (latest)
,
1

Here's the situation: when starting up my traefik container, my acme.json remains empty and I get no errors regarding why.

looking at the logs:

traefik  | time="2024-03-01T21:31:19Z" level=info msg="Starting provider *acme.Provider"
traefik  | time="2024-03-01T21:31:19Z" level=debug msg="*acme.Provider provider configuration: {\"email\":\"[REDACTED EMAIL]\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/certs/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]},\"ResolverName\":\"staging\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
traefik  | time="2024-03-01T21:31:19Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
traefik  | time="2024-03-01T21:31:19Z" level=info msg="Testing certificate renew..." providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
traefik  | time="2024-03-01T21:31:19Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
traefik  | time="2024-03-01T21:31:19Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
traefik  | time="2024-03-01T21:31:19Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=staging.acme
traefik  | time="2024-03-01T21:31:19Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

This line specifically got me confused:

Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=staging.acme

The configuration is just... empty?

here is the relevant part of my config:

# EntryPoints
entrypoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
    http:
      tls:
        certResolver: staging
        domains:
          - main: "[REDACTED DOMAIN]"
            sans:
              - "*.[REDACTED DOMAIN]"

# CertificateResolver
certificatesResolvers:
  staging:
    acme:
      email: [REDACTED EMAIL]
      storage: /etc/traefik/certs/acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

What am I missing?

2

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Is the config readable inside container and at the right location? Does the certs directory exist? Did you add the required env variables?

3

The config is readable, folder exists and acme.json is created, just empty (just tried to chmod 600 it, but that didn't change anything).
docker-compose:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    ports:
      - 80:80
      - 443:443
      - 8069:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
      - ./config/conf/:/etc/traefik/conf/
      - ./config/certs/:/etc/traefik/certs/
    environment:
      - CF_DNS_API_TOKEN=[TOKEN 1]
      - CF_ZONE_API_TOKEN=[TOKEN 2]
      - CF_API_KEY=[API Key]
      - CF_API_EMAIL=[EMAIL]
    networks:
      - frontend
    restart: unless-stopped
networks:
  frontend:
    external: true

full static config:

  checkNewVersion: false
  sendAnonymousUsage: false

# -- (Optional) Change Log Level and Format here...
#     - loglevels [DEBUG, INFO, WARNING, ERROR, CRITICAL]
#     - format [common, json, logfmt]
log:
  level: DEBUG
  format: common

api:
  dashboard: true
  insecure: true

# EntryPoints
entrypoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
    http:
      tls:
        certResolver: staging
        domains:
          - main: "[DOMAIN]"
            sans:
              - "*.[DOMAIN]"

# CertificateResolver
certificatesResolvers:
  staging:
    acme:
      email: [EMAIL]
      storage: /etc/traefik/certs/acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
4

Check Traefik debug log specifically for

  • error
  • acme / ACME
  • dns / DNS
5

Here's the full log when I spinup the container. When the default config is loaded, everything seems correct. But later on, the you can see this:

"Configuration received: {"http":{},"tcp":{},"udp":{},"tls":{}}"

where the config seems to be empty again.

traefik  | time="2024-03-02T12:17:14Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yaml"
traefik  | time="2024-03-02T12:17:14Z" level=info msg="Traefik version 2.11.0 built on 2024-02-12T15:26:45Z"
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="Static configuration loaded {\"global\":{},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"websecure\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"tls\":{\"certResolver\":\"staging\",\"domains\":[{\"main\":\"[DOMAIN]\",\"sans\":[\"*.[DOMAIN]\"]}]}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\"},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"staging\":{\"acme\":{\"email\":\"[EMAIL]\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/certs/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]}}}}}"
traefik  | time="2024-03-02T12:17:14Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
traefik  | time="2024-03-02T12:17:14Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="Starting TCP Server" entryPointName=traefik
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="Starting TCP Server" entryPointName=web
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="Starting TCP Server" entryPointName=websecure
traefik  | time="2024-03-02T12:17:14Z" level=info msg="Starting provider *traefik.Provider"
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="*traefik.Provider provider configuration: {}"
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645},\"web-to-websecure\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-websecure\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}},\"redirect-web-to-websecure\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"models\":{\"websecure\":{\"tls\":{\"certResolver\":\"staging\",\"domains\":[{\"main\":\"[DOMAIN]\",\"sans\":[\"*.[DOMAIN]\"]}]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
traefik  | time="2024-03-02T12:17:14Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
traefik  | time="2024-03-02T12:17:14Z" level=info msg="Starting provider *acme.Provider"
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="*acme.Provider provider configuration: {\"email\":\"[EMAIL]\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/certs/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]},\"ResolverName\":\"staging\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
traefik  | time="2024-03-02T12:17:14Z" level=info msg="Testing certificate renew..." providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
traefik  | time="2024-03-02T12:17:14Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=staging.acme
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Added outgoing tracing middleware noop@internal" routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Setting up redirection to https 443" middlewareType=RedirectScheme entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal middlewareName=tracing
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Serving default certificate for request: \"homeassistant.[DOMAIN]\""
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Added outgoing tracing middleware noop@internal" entryPointName=web routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" middlewareType=RedirectScheme middlewareName=redirect-web-to-websecure@internal entryPointName=web routerName=web-to-websecure@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal middlewareType=RedirectScheme middlewareName=redirect-web-to-websecure@internal entryPointName=web
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" entryPointName=web middlewareType=Recovery middlewareName=traefik-internal-recovery
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal middlewareName=tracing
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" middlewareType=StripPrefix middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_redirect@internal entryPointName=traefik routerName=dashboard@internal
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik  | time="2024-03-02T12:17:15Z" level=debug msg="Serving default certificate for request: \"traefik.[DOMAIN]\""
6

Seems really strange. Can you try with an older Traefik release? Try with acme production?

7

I tried again with a fresh config following the ibracorp tutorial. Now it's working. The only things that are different to my old config:

  • now using traefik.yml instead of traefik.yaml
  • mapping ./config/:/etc/traefik/ instead of individual folders and files
  • acme.json is now in /etc/traefik/ instead of a subfolder

Maybe it was something to do with permissions afterall.

For anyone else who finds this with the same error:
I used followed the instructions as closely as possible and then changed the static config to my preferences: Traefik v2.6+ - Traefik v2.6+

@bluepuma77 thanks for your time!