Traefik tries to generate certificates on every new run

Traefik Traefik v3 (latest)
,
1

Hello!

I've set up some services running behind Traefik, however, every time I start the containers, Traefik tries to regenerate the certificates.

I think it does detect that there is an existing certificate, based on the following log, but then somehow goes ahead and regenerates them anyways?

traefik    | 2024-04-21T09:41:07Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["some.server.url"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=portainer@file rule=Host(`some.server.url`)
traefik    | 2024-04-21T09:41:07Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["some.server.url"] providerName=letsencrypt.acme routerName=portainer@file rule=Host(`some.server.url`)
traefik    | 2024-04-21T09:41:12Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:251 > Building ACME client... providerName=letsencrypt.acme
traefik    | 2024-04-21T09:41:12Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:257 > https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
traefik    | 2024-04-21T09:41:12Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:371 > Register... providerName=letsencrypt.acme
traefik    | 2024-04-21T09:41:12Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] acme: Registering account for email@id.com lib=lego
traefik    | 2024-04-21T09:41:12Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:322 > Using HTTP Challenge provider. providerName=letsencrypt.acme
traefik    | 2024-04-21T09:41:12Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] [some.server.url] acme: Obtaining bundled SAN certificate lib=lego
traefik    | 2024-04-21T09:41:12Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:396 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [some.server.url]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: some.server.url, retry after 2024-04-22T18:09:28Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["some.server.url"] providerName=letsencrypt.acme routerName=portainer@file rule=Host(`some.server.url`)

After a few restarts, I've managed to hit the rate limit for letsencrypt. (My bad on this, should have used the test url).

In my traefik.yaml, I've defined certificates as:

certificatesResolvers:
  letsencrypt:
    acme:
      email: email@id.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

Can someone please help in solving this? I don't want to generate certificates on every restart if it already exists.

Thank you!

2

Best practice is to place acme.json file in a bind mount or volume, see simple Traefik example.