No ACME certificate generation required but unknown certificate

Hi! I'm trying to deploy my application. Everything is ready, I took the server and domain and everything should work except I can't obtain a certificate. As soon as I launched the app with Traefik for the first time I constantly got a message "No ACME certificate generation required for domains" alongside "serving default certificate", "bad handshake" and "unknown certificate".

All the same, if I try to restart the app. So my app, domain etc are kinda useless since I can't reach it, constantly 404 errors.

I have AWS EC2, I thought maybe there is a default SSL cert which is just a placeholder and this is there reason why I can't obtain a cert. I deleted everything in etc/ssl/ folder but it didn't help.

I use docker, don't know maybe inside docker some selfgenerated certificates or what.

Where should I look for "default" certificates that cause that nonsense to delete them or what is the reason for that issue? Could anyone tell paths where to look for bad certs?

services:

  streamlit_app:
    image: ${IMAGE_NAME}
    build: .
    ports:
      - "${PORT}:${PORT}"
    env_file:
      - ${ENV_FILE}
    depends_on:
      - traefik
    labels:
      # Base setup
      - "traefik.enable=true"
      - "traefik.http.routers.streamlit_app.rule=HostRegexp(`${DOMAIN}`)"  # Host address
      - "traefik.http.services.streamlit_app.loadbalancer.server.port=${PORT}"
      - "traefik.http.routers.streamlit_app.entrypoints=web"  # Use the HTTP entry point (web)
      # Get SSL certificate
      - "traefik.http.routers.streamlit_app.rule=Host(`${DOMAIN}`)"  # Replace with your domain
      - "traefik.http.routers.streamlit_app.entrypoints=websecure"  # Use the secure entry point
      - "traefik.http.routers.streamlit_app.tls.certresolver=myresolver"  # Use Let's Encrypt resolver

  traefik:
    image: traefik:v2.10
    command:
      # Base setup
      - "--log.level=DEBUG"  # Debug tools
      - "--api.insecure=true"  # Debug tools
      - "--api.dashboard=true"  # Debug tools
      - "--providers.docker=true"  # Out of the box settings
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"  # Listen ports (http)
      - "--entrypoints.websecure.address=:443"  # Listen ports (https)
      # Get SSL certificate
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"  # Use TLS challenge for SSL
      - "--certificatesresolvers.myresolver.acme.email=${EMAIL_USERNAME}"  # Where to store certificates
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"  # Use TLS challenge for SSL
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"  # DEBUG


    ports:
      - "80:80"  # Open ports (http)
      - "443:443"  # Open ports (https)
      - "8080:8080"  # Traefik console
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"  # Out of the box settings
      - "./letsencrypt:/letsencrypt"  # Storage for SSL certificates

For different rules you need different router names. This is wrong:

Note that you usually would not expose ports: of the target service, as all connections should be proxied through Traefik. Instead you would connect Traefik and target services via a Docker Network.

Also I recommend to use global http-to-https redirect, only use websecure on router to reduce config. Compare to simple Traefik example.