Why would Traefik serve the default self-generated certificate only for a subdomain of a Docker Compose container?

Traefik Traefik v3 (latest)
,
1

Dear Developers, Community,

Thank you for the marvel!

I am trying to configure a Docker Compose container for a subdomain and HTTPS route.

For some unknown reason, Traefik successfully gets and stores a cert for the main domain but for a subdomain that is for the container: pic.example.com.

As you may see in the Traefik logs below, it keeps telling that the cert is not required and serves the default for unknown reason.

The file acme.json contains a cert for only the main domain (e.g. example.com), and I've already tried cleaning the file and restarting the Traefik.

What might it be? Why would it serve the default only?

Best and kind regards

Supplementary

Traefik Logs

2025-07-20T10:56:36Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:105 > Traefik version 3.4.4 built on 2025-07-11T08:31:57Z version=3.4.4
2025-07-20T10:56:36Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:112 > Static configuration loaded [json] staticConfiguration={"accessLog":{"fields":{"defaultMode":"keep","headers":{"defaultMode":"keep","names":{"Authorization":"redact"}},"names":{"ClientUsername":"drop","DownstreamContentSize":"drop","DownstreamStatus":"drop","Overhead":"drop","ServiceURL":"drop"}},"filePath":"/var/log/traefik/access.log","filters":{"minDuration":"10ms"},"format":"json"},"api":{"basePath":"/","dashboard":true,"debug":true,"insecure":true},"certificatesResolvers":{"lets-encrypt":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"user@gmail.com","httpChallenge":{"entryPoint":"http"},"keyType":"RSA4096","preferredChain":"ISRG Root X1","storage":"/resolvers/acme.json"}}},"entryPoints":{"http":{"address":":80","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"https":{"address":":443","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true,"tls":{"certResolver":"lets-encrypt"}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"traefik":{"address":":8111","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"experimental":{"plugins":{"rewriteHeadersTP":{"moduleName":"github.com/bitrvmpd/traefik-plugin-rewrite-headers","settings":{},"version":"v0.0.1"}}},"global":{"checkNewVersion":true},"log":{"compress":true,"filePath":"/var/log/traefik/traefik.log","format":"common","level":"TRACE","maxAge":7,"maxBackups":10},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","httpClientTimeout":"1h23m20s","network":"reverse-proxy","watch":true},"file":{"directory":"/opt/config/traefik/providers","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2025-07-20T10:56:36Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:634 >
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2025-07-20T10:56:36Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:239 > Loading plugins... plugins=["rewriteHeadersTP"]
2025-07-20T10:56:36Z DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: rewriteHeadersTP: github.com/bitrvmpd/traefik-plugin-rewrite-headers@v0.0.1
2025-07-20T10:56:36Z DBG github.com/hashicorp/go-retryablehttp@v0.7.7/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/download/github.com/bitrvmpd/traefik-plugin-rewrite-headers/v0.0.1
2025-07-20T10:56:39Z DBG github.com/hashicorp/go-retryablehttp@v0.7.7/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/validate/github.com/bitrvmpd/traefik-plugin-rewrite-headers/v0.0.1
2025-07-20T10:56:39Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:249 > Plugins loaded. plugins=["rewriteHeadersTP"]
2025-07-20T10:56:39Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator *aggregator.ProviderAggregator
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=http
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=https
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=traefik
2025-07-20T10:56:39Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"directory":"/opt/config/traefik/providers","watch":true}
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/middlewares.yaml
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/routers.yaml
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/services.yaml
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/tls.yaml
2025-07-20T10:56:39Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
2025-07-20T10:56:39Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
2025-07-20T10:56:39Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *docker.Provider
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *docker.Provider provider configuration config={"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","httpClientTimeout":"1h23m20s","network":"reverse-proxy","watch":true}
2025-07-20T10:56:39Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"lets-encrypt","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"user@gmail.com","httpChallenge":{"entryPoint":"http"},"keyType":"RSA4096","preferredChain":"ISRG Root X1","storage":"/resolvers/acme.json","store":{}}
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:234 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2025-07-20T10:56:39Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:890 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"redirect-to-https":{"redirectScheme":{"port":"443","scheme":"https"}},"redirect-to-main-host":{"redirectRegex":{"permanent":true,"regex":".+","replacement":"https://example.com"}}},"routers":{"catchall":{"entryPoints":["http","https"],"middlewares":["redirect-to-https"],"priority":1,"rule":"HostRegexp(`{host:.+}`)","service":"noop@internal"}}},"tcp":{},"tls":{"stores":{"default":{},"example-com":{"defaultGeneratedCert":{"domain":{"main":"example.com"},"resolver":"lets-encrypt"}}}},"udp":{}} providerName=file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"dashboard_redirect":{"redirectRegex":{"permanent":true,"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/"}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}}},"models":{"https":{"observability":{},"tls":{"certResolver":"lets-encrypt"}}},"routers":{"acme-http":{"entryPoints":["http"],"priority":9223372036854775807,"rule":"PathPrefix(`/.well-known/acme-challenge/`)","ruleSyntax":"default","service":"acme-http@internal"},"api":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/api`)","ruleSyntax":"default","service":"api@internal"},"dashboard":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"priority":9223372036854775805,"rule":"PathPrefix(`/`)","ruleSyntax":"default","service":"dashboard@internal"},"debug":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/debug`)","ruleSyntax":"default","service":"api@internal"}},"serversTransports":{"default":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200}},"services":{"acme-http":{},"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=lets-encrypt.acme
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:90 > Provider connection established with docker 24.0.2 (API 1.43) providerName=docker
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-traefik-9ec2560a315e6a562f07d275191e830a98832395f91485d175fd971ad58bced1 providerName=docker
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=database-nginx-0679df409b85dc216e6585f13be85a57bee650802d3bc0cefe6d4776570ff44f providerName=docker
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"routers":{"nginx":{"entryPoints":["http","https"],"priority":2,"rule":"Host(`pic.example.com`)","service":"nginx"}},"services":{"nginx":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://192.168.176.2:12345"}],"strategy":"wrr"}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
2025-07-20T10:56:39Z ERR github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:138 > Error while creating certificate store error="unable to find certificate for domains \"example.com\": falling back to the internal generated certificate" tlsStoreName=example-com@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-20T10:56:39Z WRN github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:182 > No domain found in rule HostRegexp(`{host:.+}`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:468 > No domain parsed in provider ACME ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-catchall@file rule=HostRegexp(`{host:.+}`)
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:607 > Default ACME certificate generation is not required. ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme tlsStoreName=example-com@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) example.com
2025-07-20T10:56:39Z ERR github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:138 > Error while creating certificate store error="unable to find certificate for domains \"example.com\": falling back to the internal generated certificate" tlsStoreName=example-com@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:320 > Creating load-balancer entryPointName=http routerName=nginx@docker serviceName=nginx@docker
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:363 > Creating server URL=http://192.168.176.2:12345 entryPointName=http routerName=nginx@docker serverIndex=0 serviceName=nginx@docker
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-20T10:56:39Z WRN github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:182 > No domain found in rule HostRegexp(`{host:.+}`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for pic.example.com with TLS options default entryPointName=https
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:468 > No domain parsed in provider ACME ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-catchall@file rule=HostRegexp(`{host:.+}`)
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:472 > Trying to challenge certificate for domain [pic.example.com] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:607 > Default ACME certificate generation is not required. ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme tlsStoreName=example-com@file
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:946 > Looking for provided certificate(s) to validate ["pic.example.com"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-20T10:56:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:990 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["pic.example.com"] providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-20T10:56:41Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "pic.example.com"
2025-07-20T10:56:41Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345

Service Docker Compose File

services:
  nginx:
    image: nginx

    volumes:
      - '/etc/localtime:/etc/localtime:ro'

    ports:
      - '12345:12345'

    depends_on:
      - redis
      - database

    networks:
      - web
      - reverse-proxy

    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.nginx.service=nginx'
      - 'traefik.http.routers.nginx.rule=Host(`pic.example.com`)'
      - 'traefik.http.routers.nginx.entrypoints=http,https'
      - 'traefik.http.routers.nginx.priority=2'
      - 'traefik.http.routers.nginx.middlewares=redirect-to-https@file'
      # - 'traefik.http.routers.nginx.tls=false'
      - 'traefik.http.routers.nginx.tls.certresolver=lets-encrypt'
      - 'traefik.http.services.nginx.loadbalancer.server.port=12345'

  database:
    image: postgres:14
    restart: unless-stopped

    environment:
      POSTGRES_PASSWORD: test
      POSTGRES_USER: test
      POSTGRES_DB: test
      POSTGRES_INITDB_ARGS: '--data-checksums'

    networks:
      - web

    healthcheck:
      test: pg_isready -h 127.0.0.1 -d test -U test
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 20s  

  redis:
    image: redis

    networks:
      - web

    healthcheck:
      test: redis-cli ping || exit 1

networks:
  web:
  reverse-proxy:
    name: 'reverse-proxy'
    external: true

Update #1 (Reason)

Traefik Docker Compose File

services:

  traefik:
    image: traefik

    volumes:
      - '/var/docker/data/traefik/traefik/config/traefik.yaml:/traefik.yaml:ro'
      - '/var/docker/data/traefik/traefik/config/providers:/opt/config/traefik/providers:ro'
      - '/var/docker/data/traefik/traefik/config/resolvers/acme.json:/resolvers/acme.json'
      - '/var/docker/data/traefik/traefik/log:/var/log/traefik'
      - '/var/docker/data/traefik/traefik/tls/certs/cert.pem:/opt/traefik/tls/certs/cert.pem:ro'
      - '/var/docker/data/traefik/traefik/tls/private/key.pem:/opt/traefik/tls/private/key.pem:ro'
      - '/var/run/docker.sock:/var/run/docker.sock:ro'

    networks:
      - 'reverse-proxy'

    ports:
      - '127.0.0.1:8111:8111'
      - '443:443'
      - '80:80'

    extra_hosts:
      - 'host.docker.internal:172.17.0.1'

networks:
  reverse-proxy:
    name: reverse-proxy
    external: true

Traefik Static Config

Traefik container file: /traefik.yaml:

# Static Traefik Configuration File
#
# @see https://doc.traefik.io/traefik/v2.0/reference/static-configuration/file
# ////////////////////////////////////////////////////////////////

global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  insecureSkipVerify: true

# API
# ----------------------------------------------------------------

api:
  insecure: true
  dashboard: true
  debug: true

# Logs
# ----------------------------------------------------------------

log:
  filePath: '/var/log/traefik/traefik.log'
  # level: 'DEBUG'
  level: 'TRACE'
  maxBackups: 10
  maxAge: 7
  compress: true

# @see https://github.com/traefik/traefik/blob/master/pkg/middlewares/accesslog/logdata.go
# @see https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers
# @see https://community.traefik.io/t/access-logs-pass-custom-headers/18591/2
accessLog:
  filePath: '/var/log/traefik/access.log'
  format: json

  filters:
    minDuration: '10ms'

  fields:
    defaultMode: keep
    names:
      ClientUsername: drop
      DownstreamContentSize: drop
      DownstreamStatus: drop
      Overhead: drop
      ServiceURL: drop

    headers:
      defaultMode: keep
      names:
        Authorization: redact

# Certificate Resolvers
#
# @see https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
# ----------------------------------------------------------------

certificatesResolvers:
  lets-encrypt:
    acme:
      email: 'user@gmail.com'
      storage: '/resolvers/acme.json'
      preferredChain: 'ISRG Root X1'
      keyType: 'RSA4096'

      httpChallenge:
        entryPoint: 'http'

# Providers
#
# @see https://doc.traefik.io/traefik/v2.0/providers
# ----------------------------------------------------------------

providers:
  file:
    directory: '/opt/config/traefik/providers'
    watch: true

  docker:
    endpoint: 'unix:///var/run/docker.sock'
    watch: true
    network: 'reverse-proxy'
    exposedByDefault: false
    httpClientTimeout: 5000

# Entrypoints
#
# @see https://doc.traefik.io/traefik/routing/entrypoints
# ----------------------------------------------------------------

entryPoints:
  http:
    address: ':80'

  https:
    address: ':443'

    http:
      tls:
        certResolver: 'lets-encrypt'

  traefik:
    address: ':8111'

defaultEntryPoints:
  - 'http'
  - 'https'

# Plugins
# ----------------------------------------------------------------

experimental:
  plugins:

    # @see https://plugins.traefik.io/plugins/63718c14c672f04dd500d1a0/rewrite-headers
    rewriteHeadersTP:
      moduleName: 'github.com/bitrvmpd/traefik-plugin-rewrite-headers'
      version: 'v0.0.1'

Traefik Provider Dynamic Configs

Middlewares

Traefik container file: /opt/config/traefik/providers/middlewares.yaml:

http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        port: '443'
        scheme: 'https'
        permanent: false

Routers

Traefik container file: /opt/config/traefik/providers/routers.yaml:

http:
  routers:
    catchall:
      rule: 'HostRegexp(`{host:.+}`)'
      service: 'noop@internal'
      priority: 1

      entrypoints:
        - 'http'
        # Mayhaps, not required.
        - 'https'

      middlewares:
        - 'redirect-to-https'

TLS

Traefik container file: /opt/config/traefik/providers/tls.yaml:

# TLS
# @see https://doc.traefik.io/traefik/https/tls/#acme-default-certificate
tls:
  stores:
    serious-su:
      defaultGeneratedCert:
        resolver: 'lets-encrypt'
        domain:
          main: 'example.com'

    default:
      # If invalid, should result in 'ERR_SSL_UNRECOGNIZED_NAME_ALERT'.
      # @see https://www.rfc-editor.org/rfc/rfc4366#section-4 ("unrecognized_name")
      defaultCertificate:
        certFile: '/opt/traefik/tls/certs/cert.pem'
        keyFile: '/opt/traefik/tls/private/key.pem'
2

Share your full Traefik static and dynamic config, and Docker compose file.

3

Thank you for the response! I've updated the main question message with additional details.

4

Traefik only supports a default tls store as far as I know. Not sure if that is the reason for your TLS issues.

I wonder what you are doing with priority, it usually just works, maybe set a small number on catchall router.

Why rewriteHeaders without any config?

Even with httpChallenge you don't need to use http on routers.

You got so much config, maybe check simple Traefik example for the essentials and reduce to find the issue.

You are aware that you don't need to publish ports of target services, as they are connected via a Docker network, within all ports are available? And you probably shouldn't, as that enables circumventing of Traefik security middlewares.

5

You got so much config...

I am sorry, but it is just a few, and I've already checked and compared the configuration with the example numerous times, and compared the setup with numerous setups of others. Not to mention that the example I read the first day I ever attempted to dive into Traefik does not provide anything related to the issue, and you should know better.

Why rewriteHeaders...

It was in use before but now removed to find the issue source. Sorry to mention in the "so much of config".

You are aware that...

I am aware, and I publish those since I must access it on the local network. There's NAT and additional networking before Traefik. Please don't assume people are stupid of the blue.

At this point, since I've been struggling with this issue for a week with no useful response from IRC channel nor here, I'll just try building the Traefik manually with additional logging added to trace it with more .

Thank you for the response and effort, @bluepuma77, and please stay safe!

6

I can just provide some ideas, didn’t see any obvious errors. I would try to run it without the tls.yml file. It’s not needed for LE TLS to work.

7

In our case, the file tls.yaml is required, and defines the default certificate with a trusted CA that is used for connections without the Let's Encrypt cert available (e.g. not example.com but something.else in SNI yet in a connection to the same Traefik instance/IP address.

8

I get that, but does your sub-domain work without?

9

Thank you for responding! I haven't yet added more logs to the binary since I've been trying to build it inside containers only, and since their build scripts assume those are run on the host, I currently stopped with paths mismatch between the containers during building, and will return if required.

Apparently, dear Let's Encrypt had been having issues for quite some time, and I'd been receiving a lot of HTTP 503, 502 and 500 during ACME attempts and certificate registration.

I've waited until their environment gets more stable, and I've tried again with tls.conf file removed. The same issue was in logs - the default for the subdomain but the main.

Next, I tried restarting Traefik with the acme.json file removed again, and for currently unknown reason, it tried requesting for a certificate for the subdomain and, finally, stored it in acme.json.

In the result, now, it serves a certificate for the subdomain but the main, where the latter, as previously it had been similarly for the subdomain.

The file acme.json now has only the ACME authentication key and a certificate for the subdomain (previously, it had the identical but for the main domain only):

{
  "lets-encrypt": {
    "Account": {
      "Email": "user@gmail.com",
      "Registration": {
        "body": {
          "status": "valid"
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/[redacted]"
      },
      "PrivateKey": "...",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "pic.example.com"
        },
        "certificate": "...",
        "key": "...",
        "Store": "default"
      }
    ]
  }
}

The log of when it received the cert for the subdomain (pic.example.com) but the main (example.com):

025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:105 > Traefik version 3.4.4 built on 2025-07-11T08:31:57Z version=3.4.4
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:112 > Static configuration loaded [json] staticConfiguration={"accessLog":{"fields":{"defaultMode":"keep","headers":{"defaultMode":"keep","names":{"Authorization":"redact"}},"names":{"ClientUsername":"drop","DownstreamContentSize":"drop","DownstreamStatus":"drop","Overhead":"drop","ServiceURL":"drop"}},"filePath":"/var/log/traefik/access.log","filters":{"minDuration":"10ms"},"format":"json"},"api":{"basePath":"/","dashboard":true,"debug":true,"insecure":true},"certificatesResolvers":{"lets-encrypt":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"user@gmail.com","httpChallenge":{"entryPoint":"http"},"keyType":"RSA4096","storage":"/resolvers/acme.json"}}},"entryPoints":{"http":{"address":":80","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"https":{"address":":443","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true,"tls":{"certResolver":"lets-encrypt"}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"traefik":{"address":":8111","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"experimental":{"plugins":{"rewriteHeadersTP":{"moduleName":"github.com/bitrvmpd/traefik-plugin-rewrite-headers","settings":{},"version":"v0.0.1"}}},"global":{"checkNewVersion":true},"log":{"compress":true,"filePath":"/var/log/traefik/traefik.log","format":"common","level":"TRACE","maxAge":7,"maxBackups":10},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","httpClientTimeout":"1h23m20s","network":"reverse-proxy","watch":true},"file":{"directory":"/opt/config/traefik/providers","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:634 > 
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:239 > Loading plugins... plugins=["rewriteHeadersTP"]
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: rewriteHeadersTP: github.com/bitrvmpd/traefik-plugin-rewrite-headers@v0.0.1
2025-07-22T06:45:51Z DBG github.com/hashicorp/go-retryablehttp@v0.7.7/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/download/github.com/bitrvmpd/traefik-plugin-rewrite-headers/v0.0.1
2025-07-22T06:45:51Z DBG github.com/hashicorp/go-retryablehttp@v0.7.7/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/validate/github.com/bitrvmpd/traefik-plugin-rewrite-headers/v0.0.1
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:249 > Plugins loaded. plugins=["rewriteHeadersTP"]
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator *aggregator.ProviderAggregator
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=http
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=traefik
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=https
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"directory":"/opt/config/traefik/providers","watch":true}
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/middlewares.yaml
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/routers.yaml
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/services.yaml
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/tls.yaml.b
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *docker.Provider
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *docker.Provider provider configuration config={"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","httpClientTimeout":"1h23m20s","network":"reverse-proxy","watch":true}
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"lets-encrypt","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"user@gmail.com","httpChallenge":{"entryPoint":"http"},"keyType":"RSA4096","storage":"/resolvers/acme.json","store":{}}
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:234 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:890 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"redirect-to-https":{"redirectScheme":{"port":"443","scheme":"https"}},"redirect-to-main-host":{"redirectRegex":{"permanent":true,"regex":".+","replacement":"https://example.com"}}},"routers":{"catchall":{"entryPoints":["http","https"],"middlewares":["redirect-to-https"],"priority":1,"rule":"HostRegexp(`{host:.+}`)","service":"noop@internal"}}},"tcp":{},"tls":{},"udp":{}} providerName=file
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"dashboard_redirect":{"redirectRegex":{"permanent":true,"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/"}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}}},"models":{"https":{"observability":{},"tls":{"certResolver":"lets-encrypt"}}},"routers":{"acme-http":{"entryPoints":["http"],"priority":9223372036854775807,"rule":"PathPrefix(`/.well-known/acme-challenge/`)","ruleSyntax":"default","service":"acme-http@internal"},"api":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/api`)","ruleSyntax":"default","service":"api@internal"},"dashboard":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"priority":9223372036854775805,"rule":"PathPrefix(`/`)","ruleSyntax":"default","service":"dashboard@internal"},"debug":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/debug`)","ruleSyntax":"default","service":"api@internal"}},"serversTransports":{"default":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200}},"services":{"acme-http":{},"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=lets-encrypt.acme
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:90 > Provider connection established with docker 24.0.2 (API 1.43) providerName=docker
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-traefik-9671b597b2681849626ea45dfe901e1fd6a641b0bb1fd25f9f183bda7c0e7ebb providerName=docker
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=database-nginx-89ffaf95a71f48f9a4a49b3e05542ed137279f0788cd5bec43a403bcb5dfd29e providerName=docker
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"routers":{"nginx":{"entryPoints":["http","https"],"middlewares":["redirect-to-https@file"],"priority":2,"rule":"Host(`pic.example.com`)","service":"nginx","tls":{"certResolver":"lets-encrypt"}}},"services":{"nginx":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://192.168.176.2:12345"}],"strategy":"wrr"}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:52Z WRN github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:182 > No domain found in rule HostRegexp(`{host:.+}`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:468 > No domain parsed in provider ACME ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-catchall@file rule=HostRegexp(`{host:.+}`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:320 > Creating load-balancer entryPointName=https routerName=https-nginx@docker serviceName=nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:363 > Creating server URL=http://192.168.176.2:12345 entryPointName=https routerName=https-nginx@docker serverIndex=0 serviceName=nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
...

The next log part 2/2 (due to the forum limit of 32,000 characters per message).

10

The previous log part 1/2 (due to the forum limit of 32,000 characters per message).

The next log part 2/2:

...
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for pic.example.com with TLS options default entryPointName=http
2025-07-22T06:45:53Z WRN github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:182 > No domain found in rule HostRegexp(`{host:.+}`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for pic.example.com with TLS options default entryPointName=https
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:468 > No domain parsed in provider ACME ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-catchall@file rule=HostRegexp(`{host:.+}`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:472 > Trying to challenge certificate for domain [pic.example.com] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:472 > Trying to challenge certificate for domain [pic.example.com] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:946 > Looking for provided certificate(s) to validate ["pic.example.com"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:946 > Looking for provided certificate(s) to validate ["pic.example.com"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:992 > Domains need ACME certificates generation for domains "pic.example.com". ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["pic.example.com"] providerName=lets-encrypt.acme routerName=nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:710 > Loading ACME certificates [pic.example.com]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:990 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["pic.example.com"] providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:45:54Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:272 > Building ACME client... providerName=lets-encrypt.acme
2025-07-22T06:45:54Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:278 > https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2025-07-22T06:45:55Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:459 > Register... providerName=lets-encrypt.acme
2025-07-22T06:45:55Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] acme: Registering account for user@gmail.com lib=lego
2025-07-22T06:45:55Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:352 > Using HTTP Challenge provider. providerName=lets-encrypt.acme
2025-07-22T06:45:55Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [pic.example.com] acme: Obtaining bundled SAN certificate lib=lego
2025-07-22T06:45:56Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [pic.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/[redacted]/[redacted] lib=lego
2025-07-22T06:45:56Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [pic.example.com] acme: Could not find solver for: tls-alpn-01 lib=lego
2025-07-22T06:45:56Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [pic.example.com] acme: use http-01 solver lib=lego
2025-07-22T06:45:56Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [pic.example.com] acme: Trying to solve HTTP-01 lib=lego
2025-07-22T06:45:58Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:84 > Unable to split host and port. Fallback to request host. error="address pic.example.com: missing port in address" providerName=acme
2025-07-22T06:45:58Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:104 > Retrieving the ACME challenge for pic.example.com (token "[redacted]-[redacted]")... providerName=acme
2025-07-22T06:45:58Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:84 > Unable to split host and port. Fallback to request host. error="address pic.example.com: missing port in address" providerName=acme
2025-07-22T06:45:58Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:104 > Retrieving the ACME challenge for pic.example.com (token "[redacted]-[redacted]")... providerName=acme
2025-07-22T06:45:59Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:84 > Unable to split host and port. Fallback to request host. error="address pic.example.com: missing port in address" providerName=acme
2025-07-22T06:45:59Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:104 > Retrieving the ACME challenge for pic.example.com (token "[redacted]-[redacted]")... providerName=acme
2025-07-22T06:45:59Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:84 > Unable to split host and port. Fallback to request host. error="address pic.example.com: missing port in address" providerName=acme
2025-07-22T06:45:59Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:104 > Retrieving the ACME challenge for pic.example.com (token "[redacted]-[redacted]")... providerName=acme
2025-07-22T06:45:59Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:84 > Unable to split host and port. Fallback to request host. error="address pic.example.com: missing port in address" providerName=acme
2025-07-22T06:45:59Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:104 > Retrieving the ACME challenge for pic.example.com (token "[redacted]-[redacted]")... providerName=acme
2025-07-22T06:46:00Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "example.com"
2025-07-22T06:46:00Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "example.com"
2025-07-22T06:46:02Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [pic.example.com] The server validated our request lib=lego
2025-07-22T06:46:02Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [pic.example.com] acme: Validations succeeded; requesting certificates lib=lego
2025-07-22T06:46:04Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "example.com"
2025-07-22T06:46:04Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "example.com"
2025-07-22T06:46:06Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [pic.example.com] Server responded with a certificate. lib=lego
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:736 > Certificates obtained for domains [pic.example.com] ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=lets-encrypt.acme
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) pic.example.com
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:320 > Creating load-balancer entryPointName=https routerName=https-nginx@docker serviceName=nginx@docker
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:363 > Creating server URL=http://192.168.176.2:12345 entryPointName=https routerName=https-nginx@docker serverIndex=0 serviceName=nginx@docker
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-nginx@docker
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-nginx@docker
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=nginx@docker
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=nginx@docker
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for pic.example.com with TLS options default entryPointName=http
2025-07-22T06:46:06Z WRN github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:182 > No domain found in rule HostRegexp(`{host:.+}`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for pic.example.com with TLS options default entryPointName=https
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:468 > No domain parsed in provider ACME ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-catchall@file rule=HostRegexp(`{host:.+}`)
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:472 > Trying to challenge certificate for domain [pic.example.com] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:472 > Trying to challenge certificate for domain [pic.example.com] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:946 > Looking for provided certificate(s) to validate ["pic.example.com"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:946 > Looking for provided certificate(s) to validate ["pic.example.com"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:990 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["pic.example.com"] providerName=lets-encrypt.acme routerName=nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:46:06Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:990 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["pic.example.com"] providerName=lets-encrypt.acme routerName=https-nginx@docker rule=Host(`pic.example.com`)
2025-07-22T06:46:07Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "example.com"
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "100.101.102.103"
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44096: EOF
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "100.101.102.103"
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "100.101.102.103"
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:59134: EOF
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44100: EOF
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "100.101.102.103"
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "100.101.102.103"
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44106: tls: no cipher suite supported by both client and server
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:59140: EOF
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "100.101.102.103"
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:59144: tls: no cipher suite supported by both client and server
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44110: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:59148: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44114: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44116: tls: client offered only unsupported versions: [302 301]
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "100.101.102.103"
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44120: EOF
2025-07-22T06:46:16Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "100.101.102.103"
2025-07-22T06:46:16Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44122: EOF
2025-07-22T06:46:25Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:46:26Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:46:28Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "example.com"
2025-07-22T06:46:28Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44152: local error: tls: bad record MAC
2025-07-22T06:46:29Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:46:32Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:46:44Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "example.com"
2025-07-22T06:46:44Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44196: local error: tls: bad record MAC
2025-07-22T06:46:48Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:46:55Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "example.com"
2025-07-22T06:46:55Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44230: local error: tls: bad record MAC
2025-07-22T06:48:02Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:48:07Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:48:09Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44304: EOF
2025-07-22T06:48:09Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44302: EOF
2025-07-22T06:48:10Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44310: tls: no cipher suite supported by both client and server
2025-07-22T06:48:10Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44312: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])
2025-07-22T06:48:12Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44318: tls: client offered only unsupported versions: [302 301]
2025-07-22T06:48:12Z DBG log/log.go:245 > http: TLS handshake error from 192.168.176.1:44316: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])
2025-07-22T06:48:14Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
2025-07-22T06:48:14Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://192.168.176.2:12345
...
11

From the doc:

Any store definition other than the default one (named default) will be ignored, and there is therefore only one globally available TLS store.

So pic.example.com is correctly created, as it is mentioned in Host(). But example.com is nowhere (where it isn't ignored), so it's not created.

Check simple Traefik dnsChallenge example for adding domains not in Host():

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --entrypoints.websecure.http.tls.domains[0].main=example.com
      - --entrypoints.websecure.http.tls.domains[0].sans=*.example.com,*.test.example.com
1 Like
12

The TLSStore location... I see now... and am sorry for missing this note, apparently, and I appreciate you for pointing me out very much, @bluepuma77 !

Solution

The working changed minimal configuration is the following:

Traefik container file (excerpt): /traefik.yaml:

# ...
entryPoints:
  http:
    address: ':80'

  https:
    address: ':443'
    asDefault: true

    http:
      tls:
        certResolver: 'lets-encrypt'
        domains:
          main: 'exampel.com'

  traefik:
    address: ':8111'

defaultEntryPoints:
  - 'http'
  - 'https'
# ...

Traefik container file: /opt/config/traefik/providers/tls.yaml:

#
# Dynamic Traefik Configuration File
#
# @see https://doc.traefik.io/traefik/v2.0/reference/dynamic-configuration/file
# 
# TLS
# 
# If invalid, should result in 'ERR_SSL_UNRECOGNIZED_NAME_ALERT'.
#
# @see https://doc.traefik.io/traefik/https/tls/#acme-default-certificate
# @see https://www.rfc-editor.org/rfc/rfc4366#section-4 ("unrecognized_name")
#
tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: 'lets-encrypt'
        domain:
          main: 'example.com'
          
#       defaultCertificate:
#       certFile: '/opt/traefik/tls/certs/cert.pem'
#       keyFile: '/opt/traefik/tls/private/key.pem'

Notes

I've also tried experimenting with it via spoofed SNI in requests and various configs, and indeed it handles the default TLSStore only, and we may even notice it in the source now, too:

  1. In active:

    const (
    // DefaultTLSConfigName is the name of the default set of options for configuring TLS.
    DefaultTLSConfigName = "default"
    // DefaultTLSStoreName is the name of the default store of TLS certificates.
    // Note that it actually is the only usable one for now.
    DefaultTLSStoreName = "default"
)
// ...

// GetServerCertificates returns all certificates from the default store,
// as well as the user-defined default certificate (if it exists).
func (m *Manager) GetServerCertificates() []*x509.Certificate {
    var certificates []*x509.Certificate
  
    // The default store is the only relevant, because it is the only one configurable.
    defaultStore, ok := m.stores[DefaultTLSStoreName]
// ...

    Source

  2. In tests:

    domains := acmeProvider.getUncheckedDomains(t.Context(), test.domains, "default")

    Source

It's probably worth to mention the following:

  1. The domain property value in the file acme.json does not affect the chosen certificate, and Traefik searches for domains stated inside certificates. E.g. The following would still server the certificate for example.com where the property is set to test.example.com:

    {
  "lets-encrypt": {
    "Account": {
      "Email": "user@gmail.com",
      "Registration": {
        "body": {
          "status": "valid"
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/[redacted]"
      },
      "PrivateKey": "test",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "test.example.com" // <- This change.
        },
        "certificate": "*Certificate of example.com*",
        "key": "",
        "Store": "default"
      },
      {
        "domain": {
          "main": "pic.example.com"
        },
        "certificate": "*Certificate of pic.example.com*",
        "key": "",
        "Store": "default"
      }
    ]
  }
}

  2. Kubernetes and Docker case may differ, where in the logs from Docker, it states:

    WRN github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:584 > \
defaultCertificate and defaultGeneratedCert cannot be defined at the same time.

    In the general documentation, we may see:

    The defaultGeneratedCert definition takes precedence over the ACME default certificate configuration.
    Source

    Yet, in the Kubernetes documentation there is:

    If both defaultCertificate and defaultGeneratedCert are set, the TLS certificate contained in defaultCertificate.secretName is served. The ACME default certificate is not generated.
    Source

Thank you for the marvel you do!

Related

- Multiple certificate stores #4756 (GitHub)

13

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.