Hi there,
When I start the Traefik stack, I can see the following in the traefik.log
2025-04-15T00:01:59+02:00 INF Traefik version 3.3.5 built on 2025-03-31T08:45:53Z version=3.3.5
2025-04-15T00:01:59+02:00 INF Loading plugins... plugins=["traefik-oidc-auth"]
2025-04-15T00:02:00+02:00 INF Plugins loaded. plugins=["traefik-oidc-auth"]
2025-04-15T00:02:00+02:00 INF Starting provider aggregator *aggregator.ProviderAggregator
2025-04-15T00:02:00+02:00 INF Starting provider *file.Provider
2025-04-15T00:02:00+02:00 INF Starting provider *traefik.Provider
2025-04-15T00:02:00+02:00 INF Starting provider *docker.Provider
2025-04-15T00:02:00+02:00 INF Starting provider *acme.ChallengeTLSALPN
2025-04-15T00:02:00+02:00 INF Starting provider *acme.Provider
2025-04-15T00:02:00+02:00 INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2025-04-15T00:02:01+02:00 INF Register... providerName=cloudflare.acme
So if I understand this correctly, it's doing a TLS-ALPN-01 challenge instead of a DNS-01 challenge, correct?
Here's the relevant configurations:
docker-compose.yml
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
labels:
- traefik.http.routers.noop-secure.entrypoints=websecure
- traefik.http.routers.noop-secure.service=noop@internal
- traefik.http.routers.noop-secure.tls=true
- traefik.http.routers.noop-secure.tls.certresolver=cloudflare
- traefik.http.routers.noop-secure.tls.domains[0].main=mydomain.com
- traefik.http.routers.noop-secure.tls.domains[0].sans=*.mydomain.com,*.local.mydomain.com
traefik.yml
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
http:
middlewares:
- secureHeaders@file
- crowdsec-bouncer@file
tls:
certResolver: cloudflare
certificatesResolvers:
cloudflare:
acme:
email: myemail@mydomain.com
storage: acme.json
keyType: "EC384"
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
propagation:
delayBeforeChecks: 10s
dynamic.yml
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
After starting Traefik, I can see _acme.challenge TXT records in my Cloudflare DNS records and those vanish after a while. So it looks like the everything works like it should but the log entry
2025-04-15T00:02:00+02:00 INF Starting provider *acme.ChallengeTLSALPN
has me wondering. Just a display issue in the logs? Or what am I looking at exactly?