Configured DNS-01 challenge but TLS-ALPN-01 get's used instead?

Traefik Traefik v3 (latest)
,
1

Hi there,

When I start the Traefik stack, I can see the following in the traefik.log

2025-04-15T00:01:59+02:00 INF Traefik version 3.3.5 built on 2025-03-31T08:45:53Z version=3.3.5
2025-04-15T00:01:59+02:00 INF Loading plugins... plugins=["traefik-oidc-auth"]
2025-04-15T00:02:00+02:00 INF Plugins loaded. plugins=["traefik-oidc-auth"]
2025-04-15T00:02:00+02:00 INF Starting provider aggregator *aggregator.ProviderAggregator
2025-04-15T00:02:00+02:00 INF Starting provider *file.Provider
2025-04-15T00:02:00+02:00 INF Starting provider *traefik.Provider
2025-04-15T00:02:00+02:00 INF Starting provider *docker.Provider
2025-04-15T00:02:00+02:00 INF Starting provider *acme.ChallengeTLSALPN
2025-04-15T00:02:00+02:00 INF Starting provider *acme.Provider
2025-04-15T00:02:00+02:00 INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2025-04-15T00:02:01+02:00 INF Register... providerName=cloudflare.acme

So if I understand this correctly, it's doing a TLS-ALPN-01 challenge instead of a DNS-01 challenge, correct?

Here's the relevant configurations:

docker-compose.yml

environment:
  - CF_API_EMAIL=${CF_API_EMAIL}
  - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
labels:
  - traefik.http.routers.noop-secure.entrypoints=websecure
  - traefik.http.routers.noop-secure.service=noop@internal
  - traefik.http.routers.noop-secure.tls=true
  - traefik.http.routers.noop-secure.tls.certresolver=cloudflare
  - traefik.http.routers.noop-secure.tls.domains[0].main=mydomain.com
  - traefik.http.routers.noop-secure.tls.domains[0].sans=*.mydomain.com,*.local.mydomain.com

traefik.yml

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: :443
    http:
      middlewares:
        - secureHeaders@file
        - crowdsec-bouncer@file
      tls:
        certResolver: cloudflare

certificatesResolvers:
  cloudflare:
    acme:
      email: myemail@mydomain.com
      storage: acme.json
      keyType: "EC384"
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
        propagation:
          delayBeforeChecks: 10s

dynamic.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true

After starting Traefik, I can see _acme.challenge TXT records in my Cloudflare DNS records and those vanish after a while. So it looks like the everything works like it should but the log entry

2025-04-15T00:02:00+02:00 INF Starting provider *acme.ChallengeTLSALPN

has me wondering. Just a display issue in the logs? Or what am I looking at exactly?