Let's Encrypt certificate not being issued in Traefik 2.11 despite correct DNS and HTTP challenge setup

Traefik Traefik v2
, ,
1

Hi everyone,

I’ve been trying for hours to get a Let’s Encrypt certificate working with Traefik 2.11 in Docker but no certificate is being issued. I’d really appreciate any help — I feel like I’ve tried everything.

Here’s my setup:

  • Traefik version: 2.11.24
  • Docker environment
  • Ports 80 and 443 are exposed and open in the firewall.
  • ACME HTTP challenge configured using entryPoint web.
  • Dashboard is served via websecure (port 443) and correctly routed using a file provider (dashboard.yml).
  • Domain resolves correctly to my server via A and AAAA records.
  • File /letsencrypt/acme.json exists and has correct permissions (600).
  • I can access http://mydomain.com/.well-known/acme-challenge/test and see a blank page (HTTP 200).
  • Running curl -I https://acme-v02.api.letsencrypt.org returns HTTP 200.
  • Traefik logs show Testing certificate renew... but nothing happens after that. No line about "certificate obtained".
  • I’ve confirmed that tls.certresolver=letsencrypt is included in the router rule.

Contents of dashboard.yml (simplified):

type or paste codhttp:
  routers:
    traefik-dashboard:
      rule: "Host(`traefik.server4.mydomain.com`)"
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      service: api@internal
      middlewares:
        - dashboard-auth
        - ipwhitelist

  middlewares:
    dashboard-auth:
      basicAuth:
        users:
  - "user:$apr1#####################" 

    ipwhitelist:e here

Docker-compose.yml

      - "--certificatesresolvers.letsencrypt.acme.email=contacto@mydomail.com>
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json>
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/rules"
      - "--providers.file.watch=true"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
      - "./traefik.yml:/traefik.yml:ro"
      - "./rules:/rules"


networks:
  traefik:
    name: traefik

Traefik.yml

log:
  level: INFO

accessLog: {}

api:
  dashboard: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: contacto@midominio.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

I also checked that the domain is reachable externally and that no other services are blocking port 80. I'm not using Cloudflare or DNS challenge — only HTTP.

Any ideas why the certificate isn’t being issued? Thanks so much in advance :folded_hands:

2

You can’t use traefik.yml and command: at the same time for Traefik static config, decide for one (doc).

For a working setup, compare to simple Traefik example.

3

Thank you so much for your help! The issue is finally resolved.

In case it helps someone else, here’s what we did to fix it:

  1. Removed all command: lines from docker-compose.yml, so we only use traefik.yml for static config.
  2. Used a clean and minimal traefik.yml with entryPoints, certificatesResolvers, and api.dashboard: true.
  3. Mounted the folder ./rules into the container and added file: directory: /rules in the static config.
  4. Created a new file cert-test.yml in /rules with a simple HTTP router to expose a reachable path for the Let's Encrypt ACME HTTP challenge.
  5. Fixed the YAML indentation and used proper backticks in the rule: Host(\subdomain.domain.com`)`.

As soon as we added a valid HTTP router and removed the conflicting command lines, Traefik was able to retrieve the SSL certificate with Let's Encrypt.

Thanks again for pointing us to the config example and clarifying that we can’t use both traefik.yml and command: at the same time!