Using certbot to manage certs independently from traefik? Possible?

I have set up certbot on Ubuntu and successfully created my certificate with --standalone. The same system may use other certs for other fqdns that end up on the same system as well later.

I have added traefik v2.9 to this system. Traefik listens to ports 80 en 443. I have configured traefik with a 'file provider' so that it uses the separately certbot-created certificate. This works. See

Some of the future services on this Ubuntu system (e.g. postfix, where postscreen will listen directly on port 25) will not be managed via traefik. So I want to keep cert management and traefik separate. Use certbot to manage the certs and have traefik use some of them.

The certs renewal config looks like this:

account = [snip]
pref_challs = http-01,
server =
authenticator = standalone

Now, I think that if traefik is running on port 80 certbot will not be able to renew because traefik is already listening on that port. What is the best way to solve this conundrum? One way is of course to have traefik not listen to port 80 and purely work on 443. Another might be to have traefik catch the Path /.well-known/acme-challenge/on port 80, serve the contents as a very simple web server, and use certbot with webroot, maybe (and if so: how)? Or should I move cert management to the traefik container (I'm running traefik in docker) anyway, and make sure the container's cert contents are mapped via docker compose volumes to the file system outside the traefik container?

You can use certbot behind Traefik, see my proof-of-concept. That was for a clustered version, not really plug&play, wouldn't use it for a clustered production system. The challenge is the distribution of the certs in a clustered environment. Using a shared folder with certbot for a Traefik cluster is probably better than using http provider.

Traefik stores its own LetsEncrypt certificates in a JSON file, that's not compatible with regular PEM/KEY files, even though a conversion should be easily doable. Here the challenge is probably how/when to trigger the conversion. If you have a stable environment, not adding new domains by the hour, you can probably just run the container every day or let the script loop and sleep for 24h.

Thank you. I've read your proof-of-concept. It is pretty complicated (impressive, though). I've decided for now to try using a lighttpd container on port 8081 using a volume that is writable by certbot-outside-traefik, and have traefik route to lighttpd anything to do with certbot in webroot modus. That enables the certbot-outside-traefik to update the certs that are used by everything inside traefik through a dynamic default cert setting.