How to troubleshoot "urn:ietf:params:acme:error:connection :: Connection reset by peer"

Traefik Traefik v3 (latest)
,
1

How do I troubleshoot what is causing “Connection reset by peer”? Specifically, when LetsEncrypt attempts to connect to my service so that it will proceed to generate a TLS certificate.

Reading these forums, I see this is a problem others have encountered before. But I don't know how to troubleshoot what's causing the connection to be reset?

Traefik is one container, there's a service (call it foo-service) running in another container. The Traefik container has both port 80 and 443 exposed. The foo-service container has port 443 exposed. Both are using a named network, within a single Podman pod, which also exposes ports 80 and 443.

The error message (IP address and domain name redacted):

2025-06-17T10:38:32Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [foo.example.org]: error: one or more domains had a problem:\n[foo.example.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: NNN.NNN.NNN.NNN: Connection reset by peer\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["foo.example.org"] providerName=letsencrypt.acme routerName=websecure-nextcloud@docker rule=Host(`foo.example.org`)

Traefik configuration traefik.yaml:

# /etc/traefik/traefik.yaml
# Configuration for Traefik web proxy.
---
providers:
  docker:
    defaultRule:
      "Host(`{{ trimPrefix `/` .Name }}.container.localhost`)"
    exposedByDefault: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "websecure"
          scheme: "https"
  websecure:
    asDefault: true
    address: ":443"
    http:
      tls:
        certResolver: "letsencrypt"

certificatesResolvers:
  letsencrypt:
    acme:
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      email: "admin@example.org"
      storage: "/var/local/lib/acme.json"
      tlsChallenge: true

Relevant labels applied to the service container (not using Docker, but Podman, in case that matters):

    --label traefik.enable=true
    --label traefik.http.routers.foo-service.rule=Host(`foo.example.org`)
    --label traefik.http.routers.foo-service.entrypoints=web,websecure
2

Which OS? Any load-balancer or other proxy in front of Traefik? How is Traefik started?

3

Thank you for the reply.

No load balancer. Traefik is started as its own container.

In the meantime I have completely de-constructed the containers and built them carefully from scratch, following the examples in the documentation.

The configuration I now have, works: with the Traefik proxy in a separate container, with the web server (the ‘whoami’ example service) running inside a pod with its own network: HTTP connections are upgraded to HTTPS, and the ACME protocol correctly supplies a TLS certificate.

This is how I had attempted to set it up earlier, but this time it's working correctly.

I will conclude that I must have been doing something wrong with networking between the containers.

Thanks for documentation that helped me to find the right path!

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.