Traefik is not using the wildcard LE certs

juxeii · August 22, 2023, 9:17pm

I used to have a working traefik instance on a Synology NAS.
This NAS has been shutdown for some weeks.
I updated traefik to 2.10.4 and now this log is created(replaced real DNS names with mydns1 and mydns2):

time="2023-08-22T22:45:34+02:00" level=info msg="Traefik version 2.10.4 built on 2023-07-24T16:29:02Z"
time="2023-08-22T22:45:34+02:00" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"},\"file\":{\"watch\":true,\"filename\":\"/config.yml\"}},\"api\":{\"dashboard\":true,\"debug\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"production\":{\"acme\":{\"email\":\"juergen.reiss@gmx.de\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"httpChallenge\":{\"entryPoint\":\"http\"}}},\"staging\":{\"acme\":{\"email\":\"juergen.reiss@gmx.de\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme-staging.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"httpChallenge\":{\"entryPoint\":\"http\"}}},\"wildcard\":{\"acme\":{\"email\":\"juergen.reiss@gmx.de\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]}}}}}"
time="2023-08-22T22:45:34+02:00" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2023-08-22T22:45:35+02:00" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2023-08-22T22:45:35+02:00" level=info msg="Starting provider *file.Provider"
time="2023-08-22T22:45:35+02:00" level=debug msg="*file.Provider provider configuration: {\"watch\":true,\"filename\":\"/config.yml\"}"
time="2023-08-22T22:45:35+02:00" level=debug msg="Starting TCP Server" entryPointName=http
time="2023-08-22T22:45:35+02:00" level=debug msg="Starting TCP Server" entryPointName=https
time="2023-08-22T22:45:35+02:00" level=info msg="Starting provider *traefik.Provider"
time="2023-08-22T22:45:35+02:00" level=debug msg="*traefik.Provider provider configuration: {}"
time="2023-08-22T22:45:35+02:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-08-22T22:45:35+02:00" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2023-08-22T22:45:35+02:00" level=info msg="Starting provider *docker.Provider"
time="2023-08-22T22:45:35+02:00" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2023-08-22T22:45:35+02:00" level=info msg="Starting provider *acme.Provider"
time="2023-08-22T22:45:35+02:00" level=debug msg="*acme.Provider provider configuration: {\"email\":\"mymail@gmx.de\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]},\"ResolverName\":\"wildcard\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2023-08-22T22:45:35+02:00" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=wildcard.acme
time="2023-08-22T22:45:35+02:00" level=info msg="Testing certificate renew..." providerName=wildcard.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-22T22:45:35+02:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"acme-http\":{\"entryPoints\":[\"http\"],\"service\":\"acme-http@internal\",\"rule\":\"PathPrefix(`/.well-known/acme-challenge/`)\",\"priority\":2147483647}},\"services\":{\"acme-http\":{},\"api\":{},\"dashboard\":{},\"noop\":{}},\"serversTransports\":{\"default\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
     
023-08-22T22:45:35+02:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"files\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme\"],\"service\":\"files\",\"rule\":\"Host(`files.mydns1.org`)\"},\"files_sec\":{\"entryPoints\":[\"https\"],\"service\":\"files\",\"rule\":\"Host(`files.mydns1.org`)\",\"tls\":{}},\"fritzbox\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme\"],\"service\":\"fritzbox\",\"rule\":\"Host(`fritzbox.mydns1.org`)\"},\"fritzbox_sec\":{\"entryPoints\":[\"https\"],\"service\":\"fritzbox\",\"rule\":\"Host(`fritzbox.mydns1.org`)\",\"tls\":{}},\"pihole\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme\"],\"service\":\"pihole\",\"rule\":\"Host(`pihole.mydns1.org`)\"},\"pihole_sec\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"piholeAdmin\"],\"service\":\"pihole\",\"rule\":\"Host(`pihole.mydns1.org`)\",\"tls\":{}},\"toaster\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme\"],\"service\":\"toaster\",\"rule\":\"Host(`toaster.mydns1.org`)\"},\"toaster_sec\":{\"entryPoints\":[\"https\"],\"service\":\"toaster\",\"rule\":\"Host(`toaster.mydns1.org`)\",\"tls\":{}},\"webdav_sec\":{\"entryPoints\":[\"https\"],\"service\":\"webdav\",\"rule\":\"Host(`webdav.mydns1.org`)\",\"tls\":{}}},\"services\":{\"files\":{\"loadBalancer\":{\"servers\":[{\"url\":\"https://192.168.1.223:7001\"}],\"passHostHeader\":true}},\"fritzbox\":{\"loadBalancer\":{\"servers\":[{\"url\":\"https://192.168.1.1/\"}],\"passHostHeader\":true}},\"pihole\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.1.193\"}],\"passHostHeader\":true}},\"toaster\":{\"loadBalancer\":{\"servers\":[{\"url\":\"https://192.168.1.223:5001\"}],\"passHostHeader\":true}},\"webdav\":{\"loadBalancer\":{\"servers\":[{\"url\":\"https://192.168.1.223:5006/\"}],\"passHostHeader\":true}}},\"middlewares\":{\"https-redirectscheme\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}},\"non-www-to-www\":{\"redirectRegex\":{\"regex\":\"^https?://(?:www\\\\.)?(.+)\",\"replacement\":\"https://www.${1}\",\"permanent\":true}},\"piholeAdmin\":{\"addPrefix\":{\"prefix\":\"/admin\"}},\"secHeaders\":{\"headers\":{\"sslRedirect\":true,\"customFrameOptionsValue\":\"SAMEORIGIN\",\"contentTypeNosniff\":true,\"browserXssFilter\":true}},\"www-to-non-www\":{\"redirectRegex\":{\"regex\":\"^https://www\\\\.(.+)\",\"replacement\":\"https://${1}\",\"permanent\":true}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=file
time="2023-08-22T22:45:35+02:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=wildcard.acme
time="2023-08-22T22:45:35+02:00" level=info msg="Starting provider *acme.Provider"
time="2023-08-22T22:45:35+02:00" level=debug msg="*acme.Provider provider configuration: {\"email\":\"mymail@gmx.de\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme-staging.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"httpChallenge\":{\"entryPoint\":\"http\"},\"ResolverName\":\"staging\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2023-08-22T22:45:35+02:00" level=info msg="Starting provider *acme.Provider"
time="2023-08-22T22:45:35+02:00" level=debug msg="*acme.Provider provider configuration: {\"email\":\"mymail@gmx.de\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"httpChallenge\":{\"entryPoint\":\"http\"},\"ResolverName\":\"production\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2023-08-22T22:45:35+02:00" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=production.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-22T22:45:35+02:00" level=info msg="Testing certificate renew..." providerName=production.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-22T22:45:35+02:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=production.acme
time="2023-08-22T22:45:35+02:00" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-08-22T22:45:35+02:00" level=info msg="Testing certificate renew..." providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-08-22T22:45:35+02:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=staging.acme
time="2023-08-22T22:45:35+02:00" level=debug msg="Provider connection established with docker 20.10.23 (API 1.41)" providerName=docker
time="2023-08-22T22:45:35+02:00" level=debug msg="Filtering disabled container" providerName=docker container=mariadb-photoprism-0fbf7f4eb7a47c21fc789c3a2b33b5111ae1a8c648bf3b04684c7df5c417373d
time="2023-08-22T22:45:35+02:00" level=debug msg="Filtering disabled container" providerName=docker container=pihole-pihole-021a05c029da80d13bb79333f7c854d71c478586a78a4b2e98dde9ef9a870e44
time="2023-08-22T22:45:35+02:00" level=debug msg="Filtering disabled container" providerName=docker container=db-gitea-3fc3a84e41debf8452e7634ddac5d8e968153de116ea3780d2eeaaa1bda99777
time="2023-08-22T22:45:35+02:00" level=debug msg="Filtering disabled container" providerName=docker container=cloudflared-cloudflared-772bb815f3990a98d582cfc50f2c45682eac46ba01f691f3c275ba1709bde690
time="2023-08-22T22:45:35+02:00" level=debug msg="Filtering disabled container" providerName=docker container=db-wordpress-mydns2-19071b51eb1c9d1249b434638dfc9c5c146500f507a063c7e6211343ed26ac71
time="2023-08-22T22:45:35+02:00" level=debug msg="Filtering disabled container" container=db-wordpress-mydns1-354278e9394b25b43631c6214cfdb63dcc561ecbfcd42ab0ded125370bd4bce6 providerName=docker
time="2023-08-22T22:45:35+02:00" level=debug msg="Filtering disabled container" providerName=docker container=bitcoind-bitcoin-node-a752a27536e22168ec8ae71d5afc9b65679d2ef858a289c967794484b61eb14d
time="2023-08-22T22:45:35+02:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"calibre\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\"],\"service\":\"calibre\",\"rule\":\"Host(`calibre.mydns1.org`)\"},\"calibre-secure\":{\"entryPoints\":[\"https\"],\"service\":\"calibre\",\"rule\":\"Host(`calibre.mydns1.org`)\",\"tls\":{}},\"calibre-web\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\"],\"service\":\"calibre-web\",\"rule\":\"Host(`calibre-web.mydns1.org`)\"},\"calibre-web-secure\":{\"entryPoints\":[\"https\"],\"service\":\"calibre-web\",\"rule\":\"Host(`calibre-web.mydns1.org`)\",\"tls\":{}},\"gitea\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\"],\"service\":\"gitea\",\"rule\":\"Host(`gitea.mydns1.org`)\"},\"gitea-secure\":{\"entryPoints\":[\"https\"],\"service\":\"gitea\",\"rule\":\"Host(`gitea.mydns1.org`)\",\"tls\":{}},\"mydns2\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\",\"non-www-to-www@file\"],\"service\":\"mydns2\",\"rule\":\"Host(`mydns2.com`, `www.mydns2.com`)\"},\"mydns2-secure\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"non-www-to-www@file\"],\"service\":\"mydns2\",\"rule\":\"Host(`mydns2.com`,`www.mydns2.com`)\",\"tls\":{}},\"heimdall\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\"],\"service\":\"heimdall\",\"rule\":\"Host(`heimdall.mydns1.org`)\"},\"heimdall-secure\":{\"entryPoints\":[\"https\"],\"service\":\"heimdall\",\"rule\":\"Host(`heimdall.mydns1.org`)\",\"tls\":{}},\"mydns1\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\",\"non-www-to-www@file\"],\"service\":\"mydns1\",\"rule\":\"Host(`mydns1.org`, `www.mydns1.org`)\"},\"mydns1-secure\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"non-www-to-www@file\"],\"service\":\"mydns1\",\"rule\":\"Host(`mydns1.org`, `www.mydns1.org`)\",\"tls\":{}},\"photoprism\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\"],\"service\":\"photoprism\",\"rule\":\"Host(`bilder.mydns1.org`)\"},\"photoprism-secure\":{\"entryPoints\":[\"https\"],\"service\":\"photoprism\",\"rule\":\"Host(`bilder.mydns1.org`)\",\"tls\":{}},\"portainer\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\"],\"service\":\"portainer\",\"rule\":\"Host(`portainer.mydns1.org`)\"},\"portainer-secure\":{\"entryPoints\":[\"https\"],\"service\":\"portainer\",\"rule\":\"Host(`portainer.mydns1.org`)\",\"tls\":{}},\"traefik\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"https-redirectscheme@file\"],\"service\":\"traefik\",\"rule\":\"Host(`traefik.mydns1.org`)\"},\"traefik-secure\":{\"entryPoints\":[\"https\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.mydns1.org`)\",\"tls\":{}},\"whoami-secure\":{\"service\":\"noop@internal\",\"rule\":\"Host(`traefik-traefik`)\",\"tls\":{\"certResolver\":\"wildcard\",\"domains\":[{\"main\":\"*.mydns1.org\"},{\"main\":\"*.mydns2.com\"}]}}},\"services\":{\"calibre\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.5:8080\"}],\"passHostHeader\":true}},\"calibre-web\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.6:8083\"}],\"passHostHeader\":true}},\"gitea\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.3:3000\"}],\"passHostHeader\":true}},\"mydns2\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.8:80\"}],\"passHostHeader\":true}},\"heimdall\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.7:80\"}],\"passHostHeader\":true}},\"mydns1\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.9:80\"}],\"passHostHeader\":true}},\"photoprism\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.4:2342\"}],\"passHostHeader\":true}},\"portainer\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.2:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.29.0.10:888\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-08-22T22:45:35+02:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for traefik-traefik with TLS options default" entryPointName=http
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for portainer.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for calibre.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for traefik-traefik with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for mydns2.com with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for bilder.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for files.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for toaster.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for gitea.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for www.mydns2.com with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for fritzbox.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for traefik.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for heimdall.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for pihole.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for www.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for calibre-web.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Adding route for webdav.mydns1.org with TLS options default" entryPointName=https
time="2023-08-22T22:45:37+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"*.mydns2.com\"]..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=wildcard.acme
time="2023-08-22T22:45:37+02:00" level=debug msg="No ACME certificate generation required for domains [\"*.mydns2.com\"]." providerName=wildcard.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-22T22:45:37+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"*.mydns1.org\"]..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=wildcard.acme
time="2023-08-22T22:45:37+02:00" level=debug msg="No ACME certificate generation required for domains [\"*.mydns1.org\"]." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=wildcard.acme

The wildcards no longer work, only the default certs are issued by traefik. Any ideas what is going on?

bluepuma77 · August 23, 2023, 7:28am

If the config hasn’t changed, did the domains, IPs or credentials change?

juxeii · August 23, 2023, 9:44am

Sorry, there is no issue actually. I overlooked something. Topic closed!

Topic		Replies	Views
Struggling with Traefik, Wildcard LE certs and Portainer Traefik v3 (latest) letsencrypt-acme	2	176	February 15, 2025
Traefik not using wildcard domain certificate, even though acme.json is populated and valid Traefik v3 (latest) docker	7	172	March 9, 2025
Wildcard certs not working (using Route53) Traefik v2 letsencrypt-acme	15	1812	July 11, 2023
Failing to get Synology NAS behind Traefik w/wildcard cert Traefik v2 docker , letsencrypt-acme	5	3458	January 9, 2023
Traefik with letsencrypt not renewing the cert Traefik v2 docker , letsencrypt-acme	5	3467	August 29, 2023

Traefik is not using the wildcard LE certs

Related topics