Dynamic Config for TLS acme inside ecs not working

Traefik Traefik v3 (latest)
,
1

I have a ecs service(whoami) with docker labels

"traefik.enable"                                        = true
"traefik.http.services.whoami.loadbalancer.server.port" = "80"

My traefik container has service discovery enabled, my static yml

api:
  insecure: true

log:
  level: DEBUG

entryPoints:
  web:
    address: ":80/tcp"
  websecure:
    address: ":443/tcp"
  gateway:
    address: ":8088/tcp"
  health:
    address: ":8090/tcp"
  metadata:
    address: ":8070/tcp"

providers:
  file:
    filename: "/data/dynamic.yaml"
    watch: true
  ecs:
    region: "xxx"
    clusters: "xxx"
    exposedbydefault: true
    autoDiscoverClusters: true

certificatesResolvers:
  external:
    acme:
      email: xxx@xxx.com
      storage: /data/external-acme.json
      httpChallenge:
        entryPoint: web

  internal:
    acme:
      email: xxx@xxx.com
      storage: /data/internal-acme.json
      dnsChallenge:
        provider: route53
        delayBeforeCheck: "0"

my dynamic.yml

http:
    routers:
            whoami:
      rule: "Host(`xxx.xyz`) || HostRegexp(`^.+\\.xxx\\.xyz$`)"
      service: whoami@ecs
      entryPoints:
        - web
        - websecure
      tls:
        certResolver: internal
        domains:
          - main: "bitcommerz.xyz"
            sans:
              - "*.bitcommerz.xyz"
    acme-whoami:
      rule: "Host(`sub1.xxx.online`) || Host(`sub2.xxx.online`)"
      service: whoami@ecs
      entryPoints:
        - web
        - websecure
      tls:
        certResolver: external
        domains:
          - main: "sub1.xxx.online"
            sans:
              - "sub2.xxx.online"

Now the tls certificate is not being received for sub1.xxx.online and sub2.xxx.online, others are working fine.

2

Enable and check Traefik debug log (doc).

It’s rather unusual to split router and service between dynamic config file and labels.

Note that you enable both entrypoints on router and enable TLS, so you get TLS on http port 80. When using httpChallenge, you don’t need to assign web as entrypoint, Traefik handles it internally.

3

in log i can see,

[90m2025-06-24T04:32:37Ze[0m e[31mERRe[0m e[1mgithub.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553e[0me[36m >e[0m e[1mUnable to obtain ACME certificate for domainse[0m e[36merror=e[0me[31me[1m"unable to generate a certificate for the domains [sub1.xxx.online sub2.xxx.online]: error: one or more domains had a problem:\n[sub2.xxx.online] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for sub2.xxx.online - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for sub2.xxx.online - check that a DNS record exists for this domain\n"e[0me[0m e[36mACME CA=e[0mhttps://acme-v02.api.letsencrypt.org/directory e[36macmeCA=e[0mhttps://acme-v02.api.letsencrypt.org/directory e[36mdomains=e[0m["sub1.xxx.online","sub2.xxx.online"] e[36mproviderName=e[0mexternal1.acme e[36mrouterName=e[0macme-whoami@file e[36mrule=e[0m"Host(sub1.xxx.online) || Host(sub2.xxx.online)"

while my domain setup is like this

sub1.xxx.online(in which domain i want ssl) -> CNAME -> another_domain(already has ssl with this traefik) -> Route53 Alias -> aws NLB -> traefik

what am i doing wrong here?

4

It states the problem right there: