Let's Encrypt Certificate not automatically renewed

I have Traefik v3 beta running with Let's Encrypt and all worked fine so far: The certificate was acquired and the HTTPS traffik worked fine.

Since few days I am getting emails like this from Let's Encrypt:

"Hello, Your certificate (or certificates) for the names listed below will expire in 19 days (on 2023-12-20). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors. We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.
[...]"

It seems Traefik does not try to (betimes) renew the certificate!

Is this a bug of Traefik, or is there something in the config I need to modify?

What is the Traefik debug log telling you? Any error messages? Is acme.json writeable?

Thank you for chiming in!

Only root may write. Is this too restrictive?

-rw------- 1 root root 53248 Nov 28 15:31 /mnt/volume-fsn1-1/traefik/acme.json

The log looks like this:

2023-11-14T22:51:26Z ERR Error getting challenge for token retrying in 530.417126ms providerName=acme
2023-11-14T22:51:26Z ERR Error getting challenge for token retrying in 1.003622133s providerName=acme
2023-11-14T22:51:27Z ERR Error getting challenge for token retrying in 1.29700131s providerName=acme
2023-11-14T22:51:28Z ERR Error getting challenge for token retrying in 1.199961319s providerName=acme
2023-11-14T22:51:30Z ERR Error getting challenge for token retrying in 1.376171861s providerName=acme
2023-11-14T22:51:31Z ERR Error getting challenge for token retrying in 4.273713331s providerName=acme
2023-11-14T22:51:35Z ERR Error getting challenge for token retrying in 5.986008809s providerName=acme
2023-11-14T22:51:41Z ERR Error getting challenge for token retrying in 12.230660482s providerName=acme
2023-11-14T22:51:54Z ERR Error getting challenge for token retrying in 9.854950311s providerName=acme
2023-11-14T22:52:03Z ERR Cannot retrieve the ACME challenge for headcrashing.eu (token "class_api.php") error="cannot find challenge for token \"class_api.php\" (headcrashing.eu)"
 providerName=acme

Also there is a lot of lines saying things like this:

2023-12-01T17:42:32Z ERR Error while handling TCP connection error="readfrom tcp 172.25.0.3:53282->172.25.0.2:5432: tls: no cipher suite supported by both client and server"
2023-12-01T17:42:33Z ERR Error while handling TCP connection error="readfrom tcp 172.25.0.3:53294->172.25.0.2:5432: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])"
2023-12-01T17:42:33Z ERR Error while handling TCP connection error="readfrom tcp 172.25.0.3:53306->172.25.0.2:5432: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])"
2023-12-01T17:42:33Z ERR Error while handling TCP connection error="readfrom tcp 172.25.0.3:53320->172.25.0.2:5432: tls: client offered only unsupported versions: [302 301]"
2023-12-01T17:42:33Z ERR Error while handling TCP connection error="readfrom tcp 172.25.0.3:53330->172.25.0.2:5432: read tcp 172.23.0.10:5432->212.102.40.218:39566: read: connection reset by peer"
2023-12-01T17:42:34Z ERR Error while handling TCP connection error="readfrom tcp 172.25.0.3:53350->172.25.0.2:5432: read tcp 172.23.0.10:5432->212.102.40.218:7664: read: connection reset by peer"

But I think that is irrelevant, as 5432 is a PostgreSQL container behind Traefik.

Please share your full Traefik static and dynamic config, and docker-compose.yml if used.

Is it really needed to really post all of that? I mean, that is really huge information, and only few bits of that deal with ACME. Couldn't we limit the posted config to the actually relevant bits?