Hi,
creating new certificates for containers works just fine (we use letsencrypt with dnsChallgenge and httpChallenge in parallel). The question is, how does traefik behave when a container get's deleted? Will it try to renew the certificate because it's still insided the .json store? If so, is there a recommended way to permanently remove a certificate?
Cheers,
j.
I'm about 80% sure, that it won't renew them if they are not used. Renewal is only triggered by a tls router configuration. So you do not really have to remove them.
Alright then, iff I don't forget I will check back again in 2 months time, when renewal will start 
Certificates will remain in the store forever. They will also be renewed when close to expiring.
The only way to safely remove certificates is to stop Traefik, update acme.json (manually or using jq or whatever, also see linked issue), then restart Traefik.
Can acme.json be updated on the fly without rebooting Traefik ?
It has been recommended before to not mess with the acme.json file while Traefik is running.
Traefik assumed it’s the single user of the file, so it can do whatever, might just load it during startup and only (over)write during runtime.
Thanks.
If I decide not to shut down Traefik to edit the acme.json, unused certificates will continue to be renewed (as discussed above). This raises concerns about the worst-case scenario:
AFAIK the expired certificate will be used.
What if we remove acme.json file completely and restart Traefik? Can we expect that it will issue new certificates for only the domains in use?
It should create TLS certs for the configured domains. But this could take some minutes if you have many.
Usual precaution: make a backup of the old file before removing it.