ACME / Let'sencrypt while having TLS store for local names?

Traefik Traefik v3 (latest)
1

Hello,

I have a setup where I currently have a wildcard certificate that I manage manually (*.domain.com), and a wildcard for internal only services (*.home.arpa).

So I have a dynamic config file that looks like this :

tls:
  certificates:
    - certFile: "/etc/traefik/certs/wildcard.crt"
      keyFile: "/etc/traefik/certs/wildcard.key"
    - certFile: "/etc/letsencrypt/live/domain.com/fullchain.pem"
      keyFile: "/etc/letsencrypt/live/domain.com/privkey.pem"

  stores:
    default:
      defaultCertificate:
        certFile: "/etc/traefik/certs/wildcard.crt"
        keyFile: "/etc/traefik/certs/wildcard.key"

Now I want to switch to something more dynamic and with a single management being Traefik for all my external services (my internal wildcard is 10years, so I don't have an issue there).

I’ve configured the ACME resolver in my traefik config :

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "websecure"
          scheme: "https"
  websecure:
    address: ":443"

certificatesResolvers:
  le:
    acme:
      email: superadmin@email.com
      storage: acme.json
      httpChallenge:
        entryPoint: web

And when I tried to switch a docker container with the following labels :

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.myrouter.rule=Host(`example.domain.com`)"
      - "traefik.http.routers.myrouter.entrypoints=web,websecure"
      - "traefik.http.routers.myrouter.tls=true"
      - "traefik.http.routers.myrouter.tls.certresolver=le"
      - "traefik.http.services.myrouter.loadbalancer.server.port=80"

Then I re-upped the container, config is applied :

docker inspect mycontainer| jq '.[].Config.Labels' | grep traefik
  "traefik.enable": "true",
  "traefik.http.routers.myrouter.entrypoints": "web,websecure",
  "traefik.http.routers.myrouter.rule": "Host(`example.domain.com`)",
  "traefik.http.routers.myrouter.tls": "true",
  "traefik.http.routers.myrouter.tls.certresolver": "le",
  "traefik.http.services.myrouter.loadbalancer.server.port": "80"

Yet when I inspect the website with a new browser, the used certificate is still the wildcard one.

Is there a way to keep using the wildcard one for containers I haven't migrated yet and use the certresolver at the same time?

Thank you for your help :slight_smile:

2

Have you tried to just remove:

You don't need "web", it will never be used, as you have a redirect on entrypoint:

3

Thank you for your answers.

I removed tls=true and entrypoint web and issue remains the same, it's still the wildcard cert that is presented.

4

Have you tried assigning the certResolver globally to the entrypoint and remove the old external wildcard from tls?

Then you may not need to manually migrate all existing services.

5

Wouldn't traefik try to generate certificates for the home.arpa services then ?

I can't find the setup you're talking about in the doc : Traefik Let's Encrypt Documentation - Traefik

Can you point me in the right direction on assigning a resolver to an entrypoint?

6

OK it turns out I just copied and pasted the acme.json storage section of the certresolver, without realizing that the /etc/traefik folder was mounted readonly.

So I created a acme.json file, mounted it read-write with 600 permissions, and now I can see some action in the log file.

However it looks like the resolver sees the wildcard domain certificate in the store and therefore does not generate a single domain request :

2025-08-14T12:44:26Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["example.domain.com"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=le.acme routerName=mycontainer@docker rule=Host(`example.domain.com`)
2025-08-14T12:44:26Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["example.domain.com"] providerName=le.acme routerName=mycontainer@docker rule=Host(`example.domain.com`)

(domain name is obfuscated I'm not using example.domain.com :smiley: )

Is there any way to force it or should I go through all my routers to add the certresolver before removing my wildcard ?

7

Global certResolver: simple Traefik example.

Just remove the old wildcard from the dynamic config file.

8

That's not an example of a entrypoint resolver.

It's a standard resolver and a whoami with a dedicated host name.

If I remove the wildcard from the TLS store, I have to make sure that ALL the domains I'm running are going to use the certresolver before I do I guess.

I wanted to do a smooth transition and do it step by step, hence the initial question :slight_smile:

9

Oh I see the line :
- --entrypoints.websecure.http.tls.certresolver=myresolver

So this is how you set it up ?

Let me try that.

10

OK So I tried it, works for the container that has the resolver, but not the others, I don't know why.

11

Do you set only .tls=true on the routers? That might override the global certResolver.