How does Traefik handle a Let's Encrypt rate limit?

I am in a situation where I am provisioning a traefik proxy through some infrastructure-as-code tools and wont know the IP address of my cloud deployment until after it has been created.

After I deploy my stack to the cloud I then have to take the IP address of said deployment and manually update my domain name records to match with the new IP.

In the time that the hostname records take to update, Traefik runs into a "failure to validate" rate limit with Let's Encrypt, which lasts for one hour after 5 failed requests. I have a few questions regarding this.

How does Traefik handle a rate limit response from Let's Encrypt? Will Traefik continue to send requests and continue to get back rate-limit warnings? Or is it smart enough to sit the timeout before trying to make another request?

Alternatively, are there any configuration options that would allow for me to first attempt to obtain a cert from the LE staging server and upon success then go and request a cert from the production server? It seems this would be an elegant solution to my problem as the staging server has much higher rate-limits so I wouldn't need to worry about getting timed-out while I wait for the hostname information to update.

I appreciate any help the community can offer.


Bumping this thread because I still can't narrow down how exactly Traefik is designed to handle rate limits.

hello @adam_placs

Thank you for using Traefik and asking the question here.

First of all, the best recommendation is to use the Lets Encrypt staging server during the development phase to avoid situations where an account will be blocked due to Lets Encrypt rate limits. It can be configured through caServer attribute.

Once the development phase is completed the configuration can be switched to Production caServer. However, Traefik will not obtain a new certificate from the Production environment since there is still a valid certificate in storage (acme.json) obtained from the Staging environment. The existing certificate should be manually removed or even the acme.json file can be completely wiped out.

That should solve the question regarding the development phase and reaching Lets Encrypt limits once the configuration is not yet ready.

Additionally, there is no smart configuration to configure retry on Traefik in order to obtain a certificate. That process is managed while the dynamic configuration is reloaded then a certificate will be obtained if there is no valid certificate in a store.

Please let me know if you have any other questions concerning that topic.

Thank you,

1 Like

@jakubhajek, thanks for your response. I believe you have answered my questions.

I've resorted to running a script to enable Traefik after I can be sure that my DNS records have propagated.


Thanks for the update, @adam_placs

Let us know if you have any other topics to discuss.

Traefik Enterprise can be configured to use an ACME provider (like Let's Encrypt )