Cannot get ACME client, "https is required"

Traefik Traefik v3 (latest)
1

I’ve got a local-only ACME CA running in a docker container alongside Traefik. This CA isn’t really available, and serves only HTTP.

The configuration for this CA is as follows:

  arp:
    acme:
      email: admin@arp.local
      storage: /letsencrypt/arp.json
      caserver: "http://acme.arp.local"
      httpChallenge:
        entryPoint: web

I’ve noticed traefik stopped playing nice with this HTTP CA, as I can see the following logs:

ERR Unable to obtain ACME certificate for domains error="cannot get ACME client get directory at '``http://acme.arp.local``': Get \"``http://acme.arp.local``\": HTTPS is required: ``http://acme.arp.local``" ACME CA=http://acme.arp.local acmeCA=http://acme.arp.local domains=["graylog.arp.local"] providerName=arp.acme routerName=graylog@file rule=Host(`graylog.arp.local`)

What do I need to do to make traefik work again with a HTTP ACME CA?

2

It seems that has been changed in August, see acme-go library advisory and release.

3

It seems you can specify a custom TLS cert for https to the CA via acme.caCertificates (doc).

So you should be able to create a local cert and use it with your CA and Traefik. The advisory states that https is a must according to specification, so the CA should support it.

4

The CA wasn’t ever the problem. It’s getting the HTTPS on the internal ACME service itself, but I think I managed to get that working.

Now I have a different issue, but it’s an ACME<>internal CA server problem, so likely unrelated to traefik.