Traefik is not hot reloading the certificates


I'm trying to find how to reload traefik when my certificates (that are stored in files updated via rsync every now and then) are renewed.
But it seems that when the certificate files are updated on the host, traefik doesn't load the new ones, and that is an issue because I have to manually restart traefik in order to update them.

Here is my compose traefik config:

version: '3.6'


    image: traefik:v2.0
      - "--log.level=DEBUG"
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --providers.file.filename=config.toml
      - --api.insecure=true
      - --accesslog=true
      - traefik
    restart: always
      - '80:80'
      - '443:443'
      - '8080:8080'
      - /home/web/data/config.toml:/config.toml
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/ssl/eri/:/etc/ssl/eri/:ro
      - "traefik.enable=true"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"

    external: true

And the config.toml file

defaultEntryPoints = ["http", "https"]

# Connection to docker host system (docker.sock)
domain = ""
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false

# Force HTTPS
  address = ":80"
    entryPoint = "websecure"
  address = ":443"
      certFile = "/etc/ssl/eri/fullchain.pem"
      keyFile = "/etc/ssl/eri/privkey.pem"

  certFile = "/etc/ssl/eri/fullchain.pem"
  keyFile  = "/etc/ssl/eri/privkey.pem"

Hoping that someone can help me..

Kind regards,


It is better if you use, mount your configuration into that path, and Traefik will load all the configuration files within said path.

Due to fsnotify being unreliable, Traefik will not watch individual certificate files, however, if you touch config.toml, this will force Traefik to reload the provider configuration (which includes the certificates), and those will be reloaded.

It's also worth noting that you have a mix of v1 and v2 traefik in your configuration file, so you may want to take the time to remove some of the irrelevant pieces (pretty much everything except [[tls.certificates]]). Also, please update Traefik to the latest version for security updates and bug-fixes image: traefik:v2.3.2

Thanks for using Traefik and let us know if you have any other questions.


Sorry for the (quite) late reply, the touch of the config.toml file doesn't seem to work, despite using instead.

Any idea ?

Thanks in advance.