"No default certificate, generating one" even if default certificate is specified

I don't understand why I receive the following line in Traefik logs every time when I run docker stack deploy:

level=debug msg="No default certificate, generating one"

I defined default certificate in my dynamic configuration like so:

        certFile: /cert/example.com.crt
        keyFile: /cert/example.com.key
    - certFile: /cert/example.com.crt
      keyFile: /cert/example.com.key
        - default

Interestingly, later in logs I see the following line:

level=debug msg="Adding certificate for domain(s) *.example.com,example.com"

Why I am receiving No default certificate, generating one even though I specified default certificate?

1 Like


Unfortunately I don't have an answer but I have the exact same problem. Hopefully someone more knowledgeable can help.

EDIT: looks like in my case at least I had to enable the file provider specifically in my config, in addition to my docker provider. @aleksvujic Cheers!

1 Like

I have file provider enabled but I still get this message.

Oh dear, absolutely the same here. I tried it the last 2 days, no success...

Ok, I found the solution... weired
Yes, you have to enable the file provider, but with a path to the configuration itself...

# traefik.yml

# TLS (Transport Layer Security)
# https://docs.traefik.io/v2.0/https/tls/
        certFile: /ssl/ssl-wohnbuddy-local/_wildcard.wohnbuddy.local.crt
        keyFile: /ssl/ssl-wohnbuddy-local/_wildcard.wohnbuddy.local.key

    - certFile: /ssl/ssl-wohnbuddy-local/_wildcard.wohnbuddy.local.crt
      keyFile: /ssl/ssl-wohnbuddy-local/_wildcard.wohnbuddy.local.key

# https://docs.traefik.io/v2.0/routing/providers/docker/
# https://docs.traefik.io/v2.0/migration/v1-to-v2/#providers
    filename: /traefik.yml # THIS IS THE IMPORTANT PART
    watch: true # THIS IS THE IMPORTANT PART
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

or at leaset to a dynamic file... very strange, but that way it works..

@aleksvujic Can not reply, so edited this post:
yes, you must point it to the config file, where you set the tls default cert

I just tried it, to split it up in 2 config files. works, as long, the certificate is set in the file you point the file prvider to. AND the watch: true

1 Like

I have directory defined for file provider (it contains traefik.yml file), not filename like you. Do you think that this can be a problem?

Hi @aleksvujic, yes only filename works due to a bug currently happening on the version 2.0.1. You can follow the fix on this issue: https://github.com/containous/traefik/issues/5589 .

Before a new release of Traefik is done with the fix, you should stay on a file for the dynamic configuration, OR be aware that updates inside the watched directory might not be picked by Traefik unless restarted.

@joeherold you might be interested in reading https://docs.traefik.io/v2.0/getting-started/configuration-overview/, which describe the behavior you see and the requirements of splitting configurations between "static" and "dynamic": https://docs.traefik.io/v2.0/getting-started/configuration-overview/

Thanks a lot! But my problem was not to understand the basics, but that I dit not found anything in the documentation that the file provider must be setup to use a local certificate... :slight_smile:

PS: uh, I can reply again :upside_down_face:

@dduportal In my opinion, it should be mentioned here: Traefik 2.0 TLS

Because that's where people take a look at, as I did myself.


To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the dynamic configuration, in the [[tls.certificates]] section:

In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores). However, in Kubernetes, the certificates can and must be provided by secrets.

Ok, this was not as clear to me as. But obviously not only for me. I would add the code-snipped as well, that the file-provider must be registered as well in the static configuration.

Put it here: https://docs.traefik.io/v2.0/https/tls/#default-certificate

PS: don't get me wrong, I love traefik. but this took me almost 3 days of debugging. and I am pretty sure there will others also come across this problem.

I would like to ask: In v2, is there at this moment a way to configure the default certificate in Kubernetes without having to switch to static mode / yml file inside the containers? Is it possible to pass it via command line parameters in the deployment?

I get this too... @joeherold s there any way to do what you did but in a docker-compose file? I'm trying to do this without more config files - and I understand that is possible in docker-compose using 'labels:' and 'command:'

Also, I'm trying to figure out why in traefik's DEBUG output is says
"Adding certificate for domain(s)"
"No default certificate, generating one"
twice for each.

Did you figure out if this is possible? I, too, have been using compose files for all other config values, so it seems odd that a separate file would be required in this situation. Any insights appreciated.

1 Like