Hi Community Members ,
we have traeefik with version 3.6.4 running as a docker container inside aws ecs service
it has an efs mounted volume file system
redis as a dynamic configuration provider
static configuration are defined as cli command as follows
{
"command": [
"--api.insecure=true",
"--log.format=json",
"--log.level=DEBUG",
"--entrypoints.web.address=:80",
"--entrypoints.web.transport.respondingtimeouts.idletimeout=20",
"--entrypoints.web.transport.respondingtimeouts.readtimeout=20",
"--entrypoints.web.transport.respondingtimeouts.writetimeout=20",
"--entrypoints.websecure.address=:443",
"--entrypoints.websecure.http.tls.certResolver=lestandard",
"--entrypoints.websecure.transport.respondingtimeouts.idletimeout=60",
"--entrypoints.websecure.transport.respondingtimeouts.readtimeout=60",
"--entrypoints.websecure.transport.respondingtimeouts.writetimeout=60",
"--certificatesresolvers.lestandard.acme.email="XXXX",
"--certificatesresolvers.lestandard.acme.dnschallenge=true",
"--certificatesresolvers.lestandard.acme.dnschallenge.provider=route53",
"--certificatesresolvers.lestandard.acme.storage=/mount/efs-certs/acme.json",
"--providers.providersThrottleDuration=60s",
"--providers.redis.endpoints="XXXX":6379",
"--providers.redis.tls.insecureSkipVerify=true"
],
it mainly is used for redirecting old domains to new ones & let'sencrypt is the ssl provider
acme challenge type is HTTP-01
port 80, 443 for entrypoint web /websecure are all open from public internet
suddenly acme-challenge domain validation starts failing for which we were unable to figure out the root cause
Error Logs
December 15, 2025, 19:28
{"level":"error","providerName":"lestandard.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory",
"providerName":"lestandard.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory",
"routerName":"websecure-moinak.dutta.ext.baywsf.com@redis",
"rule":"Host(moinak.dutta.ext.baywsf.com)","error":"unable to generate a certificate for the domains [moinak.dutta.ext.baywsf.com]:
error: one or more domains had a problem:\n[moinak.dutta.ext.baywsf.com] invalid authorization: acme:
error: 400 :: urn:ietf:params:acme:error:connection :: 63.180.28.137:
Fetching http://moinak.dutta.ext.baywsf.com/.well-known/acme-challenge/Ko9mS0Yr3I5ol_Yg8mNpN09bHOP6JCBR1RYkxwEtftM:
Timeout during connect (likely firewall problem)\n","domains":["moinak.dutta.ext.baywsf.com"],"time":"2025-12-15T13:58:59Z",
"caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:501","message":"Unable to obtain ACME certificate for domains"}
sample dynamic rules in redis for a test domain i.e. redirector-debug.baywsf.com
Redis Keys
Redis_Domain:6379> keys redirector/domains/"redirector-debug.baywsf.com"
- "redirector/domains/redirector-debug.baywsf.com"
Redis_Domain:6379> keys redirector
- "traefik/http/middlewares/redirector-debug.baywsf.com_redirect_0/redirectregex/replacement"
- "traefik/http/routers/redirector-debug.baywsf.com/service"
- "redirector/domains/redirector-debug.baywsf.com"
- "traefik/http/routers/redirector-debug.baywsf.com/entryPoints/0"
- "traefik/http/middlewares/redirector-debug.baywsf.com_redirect_0/redirectregex/permanent"
- "traefik/http/routers/redirector-debug.baywsf.com/rule"
- "traefik/http/routers/redirector-debug.baywsf.com/middlewares/0"
- "traefik/http/routers/redirector-debug.baywsf.com/entryPoints/1"
- "traefik/http/middlewares/redirector-debug.baywsf.com_redirect_0/redirectregex/regex"
- "traefik/http/middlewares/redirector-debug.baywsf.com_chain/chain/middlewares"
Screenshot of traefik dashboard router / service
nslookup of the same domain to showcase there is no ipv6 or AAAA record but still this issue is happening .
