Traefik not renewing certs, "missing credentials" but not really

traefik (I believe) 1.7.12; 'latest' tag as of July 2, 2019

Established stable configuration has been running for quite some time (long enough for the certs to need to be renewed, at least once - honestly I can't even remember how long) and today, all of my sites fail SSL - certificate out of date. Traefik has not been renewing them. As a diagnostic, I attempted to reset acme data by removing acme.json - now when I start Traefik, I get the following:

time="2019-07-02T08:06:45Z" level=error msg="Unable to obtain ACME certificate for domains \"<snip>\" detected thanks to rule \"Host:<snip>\" : cannot get ACME client cloudflare: some credentials information are missing: CLOUDFLARE_EMAIL,CLOUDFLARE_API_KEY"

Meanwhile, Portainer (and docker inspect) both show the same environment variables I had previously configured, during initial setup. These values have not changed; I use the same email, and it has the same API key.

Clip from docker inspect core_traefik_1;

"Env": [ "CF_API_EMAIL = \"SNIP\"", "CF_API_KEY = \"SNIP\"", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ],

Portainer shows the same environment variables, and they're also correct (of course);

I attempted to docker exec a shell to inspect it from the inside but there don't seem to be any (that I can figure out) and from there I don't know where to go to resolve this bug.


The “default” official Docker image is a “FROM SCRATCH” image and because of that there are no shell.

We provide an alpine based official Docker image: traefik:v1.7.12-alpine.
With the alpine version you will be able to use a shell (/bin/sh)

I note some weird things:

  • CF_API_EMAIL and CF_API_KEY contains spaces before and after the =, this is not a valid syntax for env vars and I think it’s a the root cause of your problem.
  • the values of CF_API_EMAIL and CF_API_KEY contains quote \", then the values read by Traefik will contains quotes and this will result to a invalid key and email.

Hello! Thanks for your attention.

Regarding the default docker image, I pretty much assumed that would be the case - more and more containers are going that way, and I do appreciate the slimming efforts. I would suggest a note in the documentation somewhere indicating that the alpine build exists and contains a shell binary to assist with troubleshooting, etc etc -- if I had known as much, I would not have wasted your time. My exact intent was to pull a shell up and check if the environment variables were being properly parsed, IE, if I had done exactly what you so swiftly realized I had done.

Speaking of which - you are of course correct on both counts. The spaces and the quotes were both present (not literal-quote IE " in the text, that appears to be a formatting-mangling thing somewhere between the terminal, browser, Github, and/or here) and both caused separate sorts of errors when removed independently (I wanted to learn how it would react to each in turn) and upon re-launching .....there's no 'docker logs' output. I probably have logging turned down/off or some such, but Cloudflare is showing DNS _acme-challenge TXT entries so it's certainly working now!

Thank you for your help!