Traefik refuses to use my valid ACME certificate, falls back to self signed

pgel · August 3, 2023, 7:01pm

Hi all,

I have a traefik container running in docker I use as a reverse proxy.

Recently, Traefik started serving only self-signed certificates instead of my ACME certificate. the following error message started appearing:

level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

I have verified that:

My certificate is valid and Traefik manages to read it
My sites use the correct resolver (verified with curl http://localhost:8080/api/http/routers/[my-router]@docker - returns the correct resolver name)
This is not an environment issue (repeats itself even with live installs, and new, basic Traefik settings
ACME configuration is correct (removing the certificate file and restarting the container - new certificates are successfully generated)

My domain is properly propagated and Traefik shows no errors.

I have no idea how to fix this or what to check... any and all advice would be greatly appreciated.

Thanks!

bluepuma77 · August 4, 2023, 6:22am

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

pgel · August 4, 2023, 7:26pm

For reasons unknown to me, the fix was deleting my ACME DNS (TXT) record, removing my acme.json file, and getting a new certificate from scratch. This was the process:

Delete ACME record from DNS - I use Cloudflare and my domain is registered with Porkbun - so I logged into each and removed the ACME DNS record.
Stop Traefik and delete the acme.json file
Restart Traefik
Wait a few minutes for new certificates to be generated.

I have no idea what went wrong, but this was the fix. Also sharing my configuration and the error messages in case someone else stumbles upon this issue:

docker-compose.yml:

  traefik:
    image: "traefik:v2.10.4"
    container_name: "traefik"
    privileged: true
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
        #      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=[my Cloudflare email]"
      - "--certificatesresolvers.myresolver.acme.storage=/certs/acme.json"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - CF_API_KEY=[my API key]
      - CF_API_EMAIL=[my Cloudflare email]
      - CF_DNS_API_TOKEN=[my API token]
    volumes:
      - "./certs:/certs"
      - "/var/run/docker.sock:/var/run/docker.sock"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.domain.entrypoints=websecure"
      - "traefik.http.routers.domain.rule=Host(`my-domain.com`)"
      - "traefik.http.routers.domain.tls.certresolver=myresolver"
      - "traefik.http.routers.domain.middlewares=domain"
      - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver" # New label #1
      - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=my-domain.com" # New label #2
# The last two labels were added to troubleshoot this issue - everything worked fine without them before hand

As mentioned above, this is the message that tipped me off to the error:

level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

I could see my ACME certificate was OK by checking with curl:

root@My-SRV:/# curl http://localhost:8282/api/http/routers/[my-service]@docker
{"entryPoints":["websecure"],"service":"[my-service]","rule":"Host(`[service.my-domain.com]`)","tls":{"options":"default","certResolver":"myresolver"},"status":"enabled","using":["websecure"],"name":"[my-service]@docker","provider":"docker"}
# The 'certresovlver` is the one I set up in the compose above to use ACME validation

In addition, I could tell the certificate was OK by reading the /certs/acme.json file from inside the container:

/ # cat /certs/acme.json | grep valid
          "status": "valid",

I could also see this message repeating for all my subdomains:

level=debug msg="No ACME certificate generation required for domains [\"service.domain.com\"]." rule="Host(`service.domain.com`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=myresolver.acme routerName=my-service@docker

All of these (eventually) led me to conclude nothing is wrong with Traefik nor with my certificate, hence deleting the DNS record.

I hope this helps - will gladly provide more info if needed.

system · August 7, 2023, 7:27pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ACME Cert with docker Traefik v2 (latest) docker	3	1844	December 16, 2019
Letsencrypt DNS-ACME: No default certificate, fallback to the internal generated certificate Traefik v2 (latest) docker , letsencrypt-acme	12	2916	March 8, 2023
Traefik Uses Self-Signed Certificate Instead of ACME/Letsencrypt One Traefik v2 (latest) letsencrypt-acme	1	2196	March 21, 2020
ACME Default Certificate does not work Traefik v2 (latest) docker , letsencrypt-acme	1	116	February 8, 2024
Bad logs: no ACME certificate Traefik v2 (latest) letsencrypt-acme	1	41	April 11, 2024

Traefik refuses to use my valid ACME certificate, falls back to self signed

Related Topics