I've been rate limited by ACME and now my sites are all down. How could this happen?!

Traefik Traefik v2 (latest)
1

I'm unsure how this happened b/c I have things set up to use wildcards domains. I shouldn't have had more than a handful of new certs, but somehow I've reached my limit of 50?

Apparently traefik keeps re-issuing certs every time I restart my container? Why would it not just use existing certs? How could this possibly happen? Now I can't even access my primary domain b/c that cert is invalid!!

This is a MASSIVE issue, as I now have to wait an entire week to get updated certs for my domain, even if I decide not to use traefik for certs.

2

I have the exact same issue for the second week in a row now.

Every time the containers restarts (I'm testing a lot of TLS unrelated stuff) it renews the certificates apparently. I thought keeping the acme.json outside the container prevents this but it doesn't. Hope somebody can explain this properly to us.

3

Sounds like issues with the acme storage.
Are you certain the acme storage path matches your mount? I've mismatched this before and have the store disappear with the container.

I personally find bind mounts a source of problems for r/w and use a volume mount for these.

Using: --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
And in the compose:

    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./dynamic.yaml:/config/dynamic.yaml"
      - "traefik-acme:/acme"
...
volumes:
  traefik-acme:

The documentation says the file permissions have to be 600 which may be something to check.
Check your logs at startup and use --loglevel=DEBUG if nothing is showing up. Do your testing with the acme staging servers until it works.

4

I don't want to completely hijack Ben's thread but believe we have the same problem, so here I go: is bind mounting just the acme.json file then not enough? For reference, this is the relevant part from my docker compose file:

version: "3"

services:
  traefik:
    image: traefik:2.3.6
    container_name: traefik
    restart: unless-stopped
    volumes:
      - ./acme.json:/etc/traefik/acme.json
      - ./traefik.yml:/etc/traefik/traefik.yml
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock

Or am I doing it in the wrong location? I'm pretty sure (but now a little bit in doubt) that the acme.json gets updated properly when I bind mount it to /etc/traefik/acme.json

5

According to the docs that should work(note permission to be 600 not sure how well that works with bind mount)

6

Although its still not 100%, for me it seems to be a configuration / user error on my part.

From the docker-compose file, this:

    volumes:
      - ./acme.json:/etc/traefik/acme.json

Should match the below from the traefik.yaml (or toml) file:

certificatesResolvers:
  letsencrypt:
    acme:
      storage: /etc/traefik/acme.json

Mind the storage path...

Probably very obvious, but it wasn't for me.

1 Like
7

I did post that parameter in my original reply. :slight_smile:

Checking on the container, traefik runs with a cwd of / so mounting it to /acme.json should work as well

8

Honestly, I didn't think about the fact that I needed to persist acme storage. Seems obvious now, but when first learning traefik it's pretty easy to overlook. I wish the docs would have warned me about that!

9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.