Traefik Cert/second domain not working

Traefik Traefik v3 (latest)
1

Hello here! I have come a bit of a problem... I had a working setup with Traefik for months now, wanted to add a second domain today and I am unable to pull a cert for it. To test if it is working at all, I tried regenerating my main domain cert which also does not seem to be getting pulled.

Most likely I am misunderstanding something but as I checked out the docs I still have no idea why it would not work.

Here is my Traefik compose, trimmed down not related parts (log config etc):

  traefik:
    command:
      - --entrypoints.http.address=:80
      - --entrypoints.http.asDefault=false
      - --entrypoints.http.http.redirections.entrypoint.to=https
      - --entrypoints.http.http.redirections.entrypoint.scheme=https
      - --entrypoints.http.http.redirections.entrypoint.permanent=true
      - --entrypoints.https.address=:443
      - --entrypoints.https.http.tls.options=tls-opts@file
      # - --entrypoints.https.http.tls.certresolver=dns-cloudflare
      - --entrypoints.https.http.tls.domains[0].main=$DOMAIN_ONE
      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAIN_ONE
      - --entrypoints.https.http.tls.domains[1].main=$DOMAIN_TWO
      - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAIN_TWO
      - --entrypoints.https.http3
      - --entrypoints.https.http3.advertisedPort=:443
      - --entrypoints.https.asDefault=true
      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS #https://www.cloudflare.com/ips/
      - --entrypoints.traefik.address=:8080

      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAIN_ONE`)
      - --providers.file.directory=/rules
      - --providers.file.watch=true

      - --certificatesResolvers.dns-cloudflare.acme.email=XXX@XXX.com
      - --certificatesresolvers.dns-cloudflare.acme.dnschallenge=true
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
      # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory #Staging Server
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.propagation.delayBeforeChecks=90
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
    networks:
      proxy:
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: udp
        mode: host
    secrets:
      - source: cloudflare_api_key
        target: /run/secrets/cloudflare_api_key
      - source: cloudflare_email
        target: /run/secrets/cloudflare_email
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /traefik/acme.json:/acme.json
      - /traefik/rules:/rules:ro
    environment:
      CF_API_KEY_FILE: /run/secrets/cloudflare_api_key
      CF_API_EMAIL_FILE: /run/secrets/cloudflare_email
    labels:
      traefik.enable: true
      traefik.http.routers.traefik-rtr.entrypoints: https
      traefik.http.routers.traefik-rtr.rule: Host(`traefik.$DOMAIN_ONE`)
      traefik.http.routers.traefik-rtr.tls: true
      traefik.http.routers.traefik-rtr.service: api@internal

In the first place, I had the config without:

      - --entrypoints.https.http.tls.domains[1].main=$DOMAIN_TWO
      - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAIN_TWO

I thought adding that would let me get certs for second domain. Second domain is different from the first one, but is on the same Cloudflare account. (using global api key)

But as I could not generate it, I tried removing it, and the exisiting cert for existing domain - only an empty file is getting created. I set logs to DEBUG, but I did not see anything interesting in them. There are no errors about acme, just the following:

2025-04-06T17:38:43+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2025-04-06T17:38:43+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"dns-cloudflare","TLSChallengeProvider":{},"caServer":"https://acme-staging-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]},"email":"XXX@XXX.com","keyType":"RSA4096","storage":"/acme.json","store":{}}
2025-04-06T17:38:43+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:232 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=dns-cloudflare.acme
2025-04-06T17:38:43+02:00 INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:884 > Testing certificate renew... acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=dns-cloudflare.acme

and that configuration was loaded.

(I did most of the tests on staging server)

If I replace empty acme file with previously pulled cert, Traefik starts up. But still does not generate cert for second domain. I assume I got blocked from Let's Encrypt for many attempts to generate certs but on the internet I found out it should still show some error in the debug log, but nothing for me. In any case, second domain is getting ignored.

What could I be doing wrong? Using latest v3 Traefik which is 3.3.5 at the moment.
My cert should autorenew in about 2 weeks so that would be a check if it does, but still need to get second domain working.

2

If you don't assign the certresolver, then LetsEncrypt will not be used.

This will only enable using loaded TLS certs, not LetsEncrypt. Remove it. Compare to simple Traefik dnsChallenge example.

Use docker inspect traefik to check if all variable substitutions worked correctly in command and labels.

1 Like
3

Thanks, I have tried with
# - --entrypoints.https.http.tls.certresolver=dns-cloudflare
enabled earlier but it would not work then. In addition I have removed the
traefik.http.routers.traefik-rtr.tls: true
and it generated cert for second domain, but then the first domain (on the subdomain I removed the label from, so traefik.$DOMAIN_ONE would not work until I added
traefik.http.routers.traefik-rtr.tls: true
back. I will get back to in in a few hours, but something has changed so that's good! Thank you very much!

4

To sum it up, I have to use "tls: true" otherwise Cloudflare will not let me connect. But I have found the root issue with the config.
I had to remove all " traefik.http.routers.traefik-rtr.tls: true" rules from all my services and instead put that on entrypoint once (- --entrypoints.https.http.tls=true), now Cloudflare works and certs are getting generated.

Thank you @bluepuma77 for helping out :slight_smile:

5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.