Hi @alorence,
I solved the problem with let's encrypt community:
On my side, I have a Loadbalancer in front of my swarm cluster so the httpchallenge or tls challenge can't work usually because several let's encrypt server will try to check the challenge. My lb will just dispatch the request and the challenge will fail.
I have migrated to dns challenge which works very nice.
An other point, you can't do High avaibility with traefik community because when you have several instances of traefik, one will generate the certificate and store it on a nfs server (acme.json). But the other instance won't reload the acme json file unless you do a docker service update to restart them.
You can do the same test that I did.
- Just deploy traefik global
- Deploy a service with traefik label and tls with acme generate
- Go to your service with a browser and regenerate the page with no cache. You will see when you hit your traefik that generate the certificate, it's ok but when you hit others traefik instance, you will get the default traefik certificate.
- docker service update --force traefik
- Go to your page and regenerate (it's working)
So you can deploy only one traefik instance that generate certificate and the service is loadbalancing throught the routing mesh of docker nodes. So you can have a little delay when your traefik crash and get restarted by docker.
HA is available with traefik enterprise as I understand
hilne