Traefik refuses to use my valid ACME certificate, falls back to self signed

Hi all,

I have a traefik container running in docker I use as a reverse proxy.

Recently, Traefik started serving only self-signed certificates instead of my ACME certificate. the following error message started appearing:

level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

I have verified that:

  1. My certificate is valid and Traefik manages to read it
  2. My sites use the correct resolver (verified with curl http://localhost:8080/api/http/routers/[my-router]@docker - returns the correct resolver name)
  3. This is not an environment issue (repeats itself even with live installs, and new, basic Traefik settings
  4. ACME configuration is correct (removing the certificate file and restarting the container - new certificates are successfully generated)

My domain is properly propagated and Traefik shows no errors.

I have no idea how to fix this or what to check... any and all advice would be greatly appreciated.


Share your full Traefik static and dynamic config, and docker-compose.yml if used.

For reasons unknown to me, the fix was deleting my ACME DNS (TXT) record, removing my acme.json file, and getting a new certificate from scratch. This was the process:

  • Delete ACME record from DNS - I use Cloudflare and my domain is registered with Porkbun - so I logged into each and removed the ACME DNS record.
  • Stop Traefik and delete the acme.json file
  • Restart Traefik
  • Wait a few minutes for new certificates to be generated.

I have no idea what went wrong, but this was the fix. Also sharing my configuration and the error messages in case someone else stumbles upon this issue:


    image: "traefik:v2.10.4"
    container_name: "traefik"
    privileged: true
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - ""
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
        #      - "--certificatesresolvers.myresolver.acme.caserver="
      - "[my Cloudflare email]"
      - ""
      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers="
      - "80:80"
      - "443:443"
      - "8080:8080"
      - CF_API_KEY=[my API key]
      - CF_API_EMAIL=[my Cloudflare email]
      - CF_DNS_API_TOKEN=[my API token]
      - "./certs:/certs"
      - "/var/run/docker.sock:/var/run/docker.sock"
    restart: unless-stopped
      - "traefik.enable=true"
      - "traefik.http.routers.domain.entrypoints=websecure"
      - "traefik.http.routers.domain.rule=Host(``)"
      - "traefik.http.routers.domain.tls.certresolver=myresolver"
      - "traefik.http.routers.domain.middlewares=domain"
      - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver" # New label #1
      - "" # New label #2
# The last two labels were added to troubleshoot this issue - everything worked fine without them before hand

As mentioned above, this is the message that tipped me off to the error:

level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

I could see my ACME certificate was OK by checking with curl:

root@My-SRV:/# curl http://localhost:8282/api/http/routers/[my-service]@docker
# The 'certresovlver` is the one I set up in the compose above to use ACME validation

In addition, I could tell the certificate was OK by reading the /certs/acme.json file from inside the container:

/ # cat /certs/acme.json | grep valid
          "status": "valid",

I could also see this message repeating for all my subdomains:

level=debug msg="No ACME certificate generation required for domains [\"\"]." rule="Host(``)" ACME CA="" providerName=myresolver.acme routerName=my-service@docker

All of these (eventually) led me to conclude nothing is wrong with Traefik nor with my certificate, hence deleting the DNS record.

I hope this helps - will gladly provide more info if needed.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.