ERR Router uses a non-existent certificate resolver

epicteammate · June 6, 2024, 2:25am

Greetings,

I'm defeated by this error. I've dug through all the documentation and must be overlooking something simple, so I really just need another set of eyes to tell me how I missed something obvious. I stole most of the config information from this guide, but I can't seem to find out where I messed up.

traefik.yml:

api:
  dashboard: true
  debug: true
certificateResolvers:
  cloudflare:
    acme:
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
      email: myemail@gmail.com
      storage: /acme.json
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
log:
  level: DEBUG
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
#  file:
#    filename: /config.yml
serversTransport:
  insecureSkipVerify: true

Portainer docker-compose file:

    container_name: Traefik
    environment:
      CF_DNS_API_TOKEN: $CLOUDFLARE_TOKEN
    image: traefik:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`legion.epicteammate.com`)"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`legion.epicteammate.com`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certResolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=legion.epicteammate.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.legion.epicteammate.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - /opt/traefik/traefik.yml:/traefik.yml
      - /opt/traefik/acme.json:/acme.json
      - /var/run/docker.sock:/var/run/docker.sock:ro

acme.json permissions set to 0600

The only logs I get when I start the container are these:

2024-06-05T22:24:02-04:00 ERR error="accept tcp [::]:443: use of closed network connection" entryPointName=https
2024-06-05T22:24:02-04:00 ERR error="accept tcp [::]:80: use of closed network connection" entryPointName=http
2024-06-05T22:24:02-04:00 ERR error="close tcp [::]:443: use of closed network connection" entryPointName=https
2024-06-05T22:24:02-04:00 ERR error="close tcp [::]:80: use of closed network connection" entryPointName=http
2024-06-05T22:24:04-04:00 ERR Router uses a non-existent certificate resolver certificateResolver=cloudflare routerName=traefik-secure@docker

Someone please point out what is staring me in the face but I can't see!

bluepuma77 · June 6, 2024, 5:55am

Some general recommendations:

Make sure to use an absolute path for acme.json and persist it with bind mount or volume:

X-Forwarded-Proto is automatically set by Traefik.

You can do http-to-https redirect centrally on entrypoint, compare to simple Traefik example.

This is sometimes shown during shutdown of the container, so not really relevant:

use of closed network connection

Enable and check Traefik debug log (doc).

epicteammate · June 6, 2024, 1:16pm

Make sure to use an absolute path for acme.json and persist it with bind mount or volume:

Updated to have

storage: /acme.json

Enable and check Traefik debug log (doc).

I must have copied the YAML before I added that. I have:

log:
  level: DEBUG

I'll update the original post for clarity

Gramdalf · July 9, 2024, 9:23pm

For anyone else coming across this error in the future, know that (as of traefik v3.0.3):

The directory housing the certificate storage must exist prior to the start of the storage
the file itself does not need to be created; traefik will generate it if it does not exist

i.e.:

storage: /tmp/acme.json

will fail if /tmp does not exist. if /tmp exists, but /tmp/acme.json does not, traefik will create it for you.

davetsg · July 13, 2024, 7:57am

storage: /tmp/acme.json

Sorry, but where exactly should that go? In the docker-compose file or in traefik.yml?

Edit: nevermind. The issue I was having was because I was trying to have all the Traefik files located on a network mount/folder rather than on the actual computer running Docker.

Topic		Replies	Views
Router uses a non-existent certificate resolver Traefik v3 (latest) docker , letsencrypt-acme	2	715	May 25, 2024
Router uses a nonexistent certificate resolver LetsEncrypt/Cloudflare Traefik v3 (latest) docker , letsencrypt-acme	1	93	September 20, 2024
V2.2.1: Router uses a non-existing resolver Traefik v2 letsencrypt-acme	1	1387	June 9, 2020
Uses a non-existent resolver: myresolver Traefik v2 docker , letsencrypt-acme	0	600	May 26, 2021
Non-existent resolver: using docker + letsencrypt in static config Traefik v2 docker , letsencrypt-acme	11	3869	November 10, 2020

ERR Router uses a non-existent certificate resolver

Related topics