(How) Is Let's Encrypt staging server for Traefik 2.3 supposed to work?

I'm banging my head on this one.

I've changed my Traefik-container configuration to state:

and no matter what I do, when I look at the request response, I get this for every single request sent, e.g. https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/... from Traefik when it comes to Let's Encypt;

  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405

When I'm using the production environment for Let's Encrypt, e.g. https://acme-v02.api.letsencrypt.org/acme/authz-v3/... I get a lot more reasonable responses;

  "identifier": {
    "type": "dns",
    "value": "..."
  "status": "invalid",
  "expires": "2021-01-01T15:14:49Z",
  "challenges": [
      "type": "tls-alpn-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Error getting validation data",
        "status": 400
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/95734053/7Fd-tw",
      "token": "vChh-BKWSH5SZXiAFmwu7u39GATwGo1X2OIiz8vTs",
      "validationRecord": [
          "hostname": "...",
          "port": "443",
          "addressesResolved": [
          "addressUsed": "..."

I'm currently rate limited on the production server for Let's Encrypt, so I have to wait a week to get another shot at this, and I thought that I could at least do some trial and error with the staging servers until then, but that doesn't seem to be working at all.

Anyone else having these issues and/or know what can be done to deal with a similar situation?


The Let's Encrypt staging works, I'm not able to reproduce your problem.

For more help, I recommend providing the full debug log, configuration, and a minimalistic repeatable example.

I'm seeing the same error in traefik 2.3.6. I've tried both Digital Ocean and Cloudflare, but still getting 405s from LetsEncrypt (staging and prod). LE recently switched over to using POST instead of GET, is traefik's acme client out of date?

The debug log:

time="2021-01-07T22:27:54Z" level=error msg="Unable to obtain ACME certificate for domains "REDACTED": unable to generate a certificate for the domains [REDACTED]: error: one or more domains had a problem:\n[REDACTED] time limit exceeded: last error: NS ns2.digitalocean.com. returned REFUSED for _acme-challenge..\n" routerName=default-guacamole-ingress-7836a6719db43703c666@kubernetescrd rule="Host(REDACTED)" providerName=letsencrypt.acme

Error from LE:

"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405

Traefik is running with the following args/env:

  • args:
    - --global.checknewversion
    - --global.sendanonymoususage
    - --entryPoints.traefik.address=:9000/tcp
    - --entryPoints.web.address=:8000/tcp
    - --entryPoints.websecure.address=:8443/tcp
    - --api.dashboard=true
    - --ping=true
    - --providers.kubernetescrd
    - --providers.kubernetesingress
    - --certificatesresolvers.letsencrypt.acme.email=REDACTED
    - --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json
    - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    - --certificatesResolvers.letsencrypt.acme.dnschallenge=true
    - --certificatesResolvers.letsencrypt.acme.dnschallenge.provider=digitalocean
    - --api.insecure=true
    - --accesslog=true
    - --log.level=DEBUG
    - name: DO_AUTH_TOKEN
    key: dns-token
    name: digitalocean

Testing with the following ingress:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
name: test-ingress
- websecure

  • match: Host(REDACTED)
    kind: Rule
    • name: test
      port: 8080
      certResolver: letsencrypt