HA with etcd backed certs in swarm

Karmicjuju · February 23, 2025, 1:41pm

Running a Swarm cluster and v3 as a global service.
When I set the cert storage to a file, i get a successful challenge. However, pointing to etcd endpoints returns

unable to get ACME account: open etcd://192.168.7.200:2379,192.168.7.201:2379,192.168.7.202:2379/traefik/acme.json: no such file or directory

my config is as so:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  level: DEBUG

accesslog: {}

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
  web-external:
    address: ":81"
    http:
      redirections:
        entryPoint:
          to: websecure-external
          scheme: https
  websecure-external:
    address: ":444"
certificatesResolvers:
  cloudflare:
    acme:
    email: ##### OMITED FOR PRIVACY #####
      storage: "etcd://192.168.7.200:2379,192.168.7.201:2379,92.168.7.202:2379/traefik/acme.json"
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1"
          - "8.8.8.8"

providers:
  swarm:
    exposedByDefault: false
    network: service-net
  file:
    directory: /etc/traefik
    watch: true

For trouble shooting purposes I have attatched to the container and can successfully read and write directly to all the etcd nodes

Is this not actually supported or did I miss something in my traefik.yaml?

After spending a few days on this I even tried conul, but I recieved the same error and conditions. File works fine.

bluepuma77 · February 23, 2025, 2:13pm

Are you using Traefik EE? Traefik CE (Community Edition) does not allow distributed LetsEncrypt, AFAIK.

Karmicjuju · February 23, 2025, 3:45pm

I am using CE. I didn’t know this functionality was exclusive to EE. I thought the distributed storage was supported, just not the coordination. I was under the assumption that it would just differ the management of the certificate file to the kv store.

bluepuma77 · February 24, 2025, 6:05am

At least the Traefik website (link) states distributed LetsEncrypt only works with Traefik EE. Devs somehow got to be paid.

You can use up to 5 servers in Swarm with dnsChallenge for individual TLS certs.

Or use LE outside of Traefik and load the certs, like post, post.

With k8s cert-manager, the distributed LetsEncrypt works with open-source Traefik.

Topic		Replies	Views
Letsencrypt acme ends in 404 Traefik v2 docker-swarm , letsencrypt-acme	4	4984	February 10, 2021
Traefik doesn't write in acme.json on version 2.3.4 Traefik v2 docker , docker-swarm , letsencrypt-acme	6	4021	December 17, 2020
Struggling with Traefik, Wildcard LE certs and Portainer Traefik v3 (latest) letsencrypt-acme	2	53	February 15, 2025
Cannot get ACME client ACME challenge not specified Traefik v2 letsencrypt-acme	5	6014	October 21, 2020
Help going from K3s to Docker Swarm (on Windows) Invalid request headers (6003) Traefik v2 docker-swarm , letsencrypt-acme	5	184	April 3, 2024

HA with etcd backed certs in swarm

Related topics