Unable to issue LE ssl certificates on Traefik

obervinov · January 17, 2025, 9:36am

Hello everyone!

For the second day now, I've been trying to set up a fairly simple Traefik configuration to issue an ssl certificate via LetsEncrypt, but it seems like an impossible task...
I'm ready to give up and return to Caddy, because such a simple thing requires so many debugging resources.

Traefik is installed as a binary file on an ubuntu server (without containerization).
Here are some introductory ones:

$ traefik version
Version:      2.11.18
Codename:     mimolette
Go version:   go1.23.4
Built:        2025-01-07T15:30:00Z
OS/Arch:      linux/amd64

Configuration

$ cat /etc/traefik/traefik.yml
log:
  filePath: "/var/log/traefik/traefik.log"
  level: DEBUG

accessLog:
  filePath: "/var/log/traefik/access.log"
  bufferingSize: 100

entryPoints:
  wireguardUi:
    address: ":9443"

certificatesResolvers:
  letsEncrypt:
    acme:
      email: acme@exmaple.com
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: digitalocean
        delayBeforeCheck: 5

http:
  routers:
    wireguardUiRouter:
      entryPoints:
        - wireguardUi
      rule: "Host(`wgui.example.com`)"
      service: wireguardUiBackend
      tls:
        certResolver: letsEncrypt
  services:
    wireguardUiBackend:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8888"

Systemd Unit

$ cat /etc/systemd/system/traefik.service
[Unit]
Description=Traefik
Documentation=https://doc.traefik.io/traefik/
After=network-online.target
AssertFileIsExecutable=/usr/bin/traefik
AssertPathExists=/etc/traefik/traefik.yml

[Service]
User=traefik
AmbientCapabilities=CAP_NET_BIND_SERVICE
EnvironmentFile=/etc/traefik/traefik.env
# configure service behavior
Type=notify
ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.yml
Restart=always
WatchdogSec=1s

[Install]
WantedBy=multi-user.target

FS Permissions

$ ls -lah
total 20K
drwxr-xr-x  3 traefik traefik 4.0K Jan 17 09:13 .
drwxr-xr-x 97 root    root    4.0K Jan 16 16:48 ..
-rw-------  1 traefik traefik    0 Jan 17 09:04 acme.json
drwxr-x---  2 traefik root    4.0K Jan 16 16:58 logs
-rw-r--r--  1 traefik traefik   86 Jan 16 19:27 traefik.env
-rwxr-xr-x  1 traefik traefik  926 Jan 17 09:13 traefik.yml

Environment Variables

DO_AUTH_TOKEN=***

Full debug logs

time="2025-01-17T09:13:42Z" level=debug msg="Configuration received: {\"http\":{\"services\":{\"noop\":{}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2025-01-17T09:13:42Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2025-01-17T09:13:42Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2025-01-17T09:13:42Z" level=info msg="Starting provider *acme.Provider"
time="2025-01-17T09:13:42Z" level=debug msg="*acme.Provider provider configuration: {\"email\":\"acme@example.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"digitalocean\",\"delayBeforeCheck\":\"5s\"},\"ResolverName\":\"letsEncrypt\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2025-01-17T09:13:42Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=letsEncrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2025-01-17T09:13:42Z" level=info msg="Testing certificate renew..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsEncrypt.acme
time="2025-01-17T09:13:42Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=letsEncrypt.acme
time="2025-01-17T09:13:42Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2025-01-17T09:13:42Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

I have carefully read the documentation and various workarounds on the forum in topics with a similar problem. I even tried to roll back from the major version 3 to 2. The result is always the same.
Additionally, I tried to delete acme.json, Traefik recreates it when the unit is restarted, but it always remains empty.
Unfortunately, the DEBUG and TRACE logging levels did not help to debug the problem in any way. I've already run out of ideas why this might not work.
I would be extremely grateful for all the advice and recommendations.

bluepuma77 · January 17, 2025, 1:33pm

http is Traefik dynamic config, it needs to be loaded by a provider, like providers.file in static config from a separate dynamic config file (doc). Check simple Traefik example.

Topic		Replies	Views
Lets encrypt certificate doesn't work Traefik v2 letsencrypt-acme	2	701	March 25, 2022
Unable to get HTTPS to work at all Traefik v3 (latest) docker , letsencrypt-acme	2	464	March 2, 2024
Issue requesting SSL using ACME Traefik v3 (latest) docker , letsencrypt-acme	0	132	September 18, 2024
Not able to obtain certificates via tlsChallenge or httpChallenge Traefik v2 letsencrypt-acme	1	3969	October 10, 2019
Unable to generate Let's Encrypt certificates Traefik v2 docker , letsencrypt-acme	8	16666	February 4, 2021

Unable to issue LE ssl certificates on Traefik

Related topics