Testing certificate renew stuck

Traefik Traefik v3 (latest)
,
1

Docker logs:

2025-11-15T19:49:17Z INF Starting provider aggregator *aggregator.ProviderAggregator
2025-11-15T19:49:17Z INF Starting provider *file.Provider
2025-11-15T19:49:17Z INF Starting provider *traefik.Provider
2025-11-15T19:49:17Z INF Starting provider *docker.Provider
2025-11-15T19:49:17Z INF Starting provider *acme.ChallengeTLSALPN
2025-11-15T19:49:17Z INF Starting provider *acme.Provider
2025-11-15T19:49:17Z INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme

What could possibly cause it to get stuck on Testing certificate renew ?

When executing a curl -4 -v https://<my-domain> I see a TLS connect error occuring:

Host <my-host-name> was resolved.

* Trying 77.163.186.137:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, unrecognized name (624):
* TLS connect error: error:0A000458:SSL routines::tlsv1 unrecognized name
* closing connection #0
  curl: (35) TLS connect error: error:0A000458:SSL routines::tlsv1 unrecognized name

I get a similar error for IPv6 curl -6 -v https://<my-domain>.

What can I do to fix it? Here are the contents of my config files:

docker-compose.yml

services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped

ports:
  - "80:80"
  - "443:443/tcp"
  - "443:443/udp"

volumes:
  - /var/run/docker.sock:/var/run/docker.sock:ro
  - /etc/docker/volumes/traefik/traefik.yml:/traefik.yml:ro
  - /etc/docker/volumes/traefik/traefik_dynamic.yml:/traefik_dynamic.yml:ro
  - /etc/docker/volumes/traefik/acme.json:/acme.json
networks:
  - traefik

networks:
traefik:
external: true

traefik.yml

log:
    level: INFO

entryPoints:
    web:
        address: ':80/tcp'
        http:
            redirections:
                entryPoint:
                    to: websecure
                    scheme: https
    websecure:
        address: ':443/tcp'
        http:
            middlewares:
                - compress@file
                - hsts@file
            tls:
                certResolver: letsencrypt
        http3: {}

api:
    dashboard: true

certificatesResolvers:
    letsencrypt:
        acme:
            email: <email>
            storage: acme.json
            httpChallenge:
                entryPoint: web

providers:
    docker:
        watch: true
        network: traefik
        exposedByDefault: false
    file:
        filename: traefik_dynamic.yml

serversTransport:
    insecureSkipVerify: true

traefik_dynamic.yml

http:
    middlewares:
        services:
            basicAuth:
                users:
                    - '<username>:<password-hash>'
        compress:
            compress: {}
        hsts:
            headers:
                stsSeconds: 2592000
    routers:
        api:
            rule: Host(`<domain>`)
            entrypoints:
                - websecure
            middlewares:
                - services
            service: api@internal

tls:
    options:
        default:
            cipherSuites:
                - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
                - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
            sniStrict: true

acme.json

{
  "letsencrypt": {
    "Account": {
      "Email": "<email>",
      "Registration": {
        "body": {
          "status": "valid"
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/2800940876"
      },
      "PrivateKey": "<privatekey>>
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "<subdomain>.<domain>"
        },
        "certificate": "<certicate>>
        "key": "<key>>
        "Store": "default"
      }
    ]
  }
}