Thank you for responding! I haven't yet added more logs to the binary since I've been trying to build it inside containers only, and since their build scripts assume those are run on the host, I currently stopped with paths mismatch between the containers during building, and will return if required.
Apparently, dear Let's Encrypt had been having issues for quite some time, and I'd been receiving a lot of HTTP 503, 502 and 500 during ACME attempts and certificate registration.
I've waited until their environment gets more stable, and I've tried again with tls.conf file removed. The same issue was in logs - the default for the subdomain but the main.
Next, I tried restarting Traefik with the acme.json file removed again, and for currently unknown reason, it tried requesting for a certificate for the subdomain and, finally, stored it in acme.json.
In the result, now, it serves a certificate for the subdomain but the main, where the latter, as previously it had been similarly for the subdomain.
The file acme.json now has only the ACME authentication key and a certificate for the subdomain (previously, it had the identical but for the main domain only):
{
"lets-encrypt": {
"Account": {
"Email": "user@gmail.com",
"Registration": {
"body": {
"status": "valid"
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/[redacted]"
},
"PrivateKey": "...",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "pic.example.com"
},
"certificate": "...",
"key": "...",
"Store": "default"
}
]
}
}
The log of when it received the cert for the subdomain (pic.example.com) but the main (example.com):
025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:105 > Traefik version 3.4.4 built on 2025-07-11T08:31:57Z version=3.4.4
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:112 > Static configuration loaded [json] staticConfiguration={"accessLog":{"fields":{"defaultMode":"keep","headers":{"defaultMode":"keep","names":{"Authorization":"redact"}},"names":{"ClientUsername":"drop","DownstreamContentSize":"drop","DownstreamStatus":"drop","Overhead":"drop","ServiceURL":"drop"}},"filePath":"/var/log/traefik/access.log","filters":{"minDuration":"10ms"},"format":"json"},"api":{"basePath":"/","dashboard":true,"debug":true,"insecure":true},"certificatesResolvers":{"lets-encrypt":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"user@gmail.com","httpChallenge":{"entryPoint":"http"},"keyType":"RSA4096","storage":"/resolvers/acme.json"}}},"entryPoints":{"http":{"address":":80","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"https":{"address":":443","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true,"tls":{"certResolver":"lets-encrypt"}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"traefik":{"address":":8111","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"sanitizePath":true},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"experimental":{"plugins":{"rewriteHeadersTP":{"moduleName":"github.com/bitrvmpd/traefik-plugin-rewrite-headers","settings":{},"version":"v0.0.1"}}},"global":{"checkNewVersion":true},"log":{"compress":true,"filePath":"/var/log/traefik/traefik.log","format":"common","level":"TRACE","maxAge":7,"maxBackups":10},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","httpClientTimeout":"1h23m20s","network":"reverse-proxy","watch":true},"file":{"directory":"/opt/config/traefik/providers","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:634 >
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:239 > Loading plugins... plugins=["rewriteHeadersTP"]
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: rewriteHeadersTP: github.com/bitrvmpd/traefik-plugin-rewrite-headers@v0.0.1
2025-07-22T06:45:51Z DBG github.com/hashicorp/go-retryablehttp@v0.7.7/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/download/github.com/bitrvmpd/traefik-plugin-rewrite-headers/v0.0.1
2025-07-22T06:45:51Z DBG github.com/hashicorp/go-retryablehttp@v0.7.7/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/validate/github.com/bitrvmpd/traefik-plugin-rewrite-headers/v0.0.1
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:249 > Plugins loaded. plugins=["rewriteHeadersTP"]
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator *aggregator.ProviderAggregator
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=http
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=traefik
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:222 > Starting TCP Server entryPointName=https
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"directory":"/opt/config/traefik/providers","watch":true}
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/middlewares.yaml
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/routers.yaml
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/services.yaml
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /opt/config/traefik/providers/tls.yaml.b
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *docker.Provider
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *docker.Provider provider configuration config={"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","httpClientTimeout":"1h23m20s","network":"reverse-proxy","watch":true}
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"lets-encrypt","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"user@gmail.com","httpChallenge":{"entryPoint":"http"},"keyType":"RSA4096","storage":"/resolvers/acme.json","store":{}}
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:234 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2025-07-22T06:45:51Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:890 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"redirect-to-https":{"redirectScheme":{"port":"443","scheme":"https"}},"redirect-to-main-host":{"redirectRegex":{"permanent":true,"regex":".+","replacement":"https://example.com"}}},"routers":{"catchall":{"entryPoints":["http","https"],"middlewares":["redirect-to-https"],"priority":1,"rule":"HostRegexp(`{host:.+}`)","service":"noop@internal"}}},"tcp":{},"tls":{},"udp":{}} providerName=file
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"dashboard_redirect":{"redirectRegex":{"permanent":true,"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/"}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}}},"models":{"https":{"observability":{},"tls":{"certResolver":"lets-encrypt"}}},"routers":{"acme-http":{"entryPoints":["http"],"priority":9223372036854775807,"rule":"PathPrefix(`/.well-known/acme-challenge/`)","ruleSyntax":"default","service":"acme-http@internal"},"api":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/api`)","ruleSyntax":"default","service":"api@internal"},"dashboard":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"priority":9223372036854775805,"rule":"PathPrefix(`/`)","ruleSyntax":"default","service":"dashboard@internal"},"debug":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/debug`)","ruleSyntax":"default","service":"api@internal"}},"serversTransports":{"default":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200}},"services":{"acme-http":{},"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=lets-encrypt.acme
2025-07-22T06:45:51Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:90 > Provider connection established with docker 24.0.2 (API 1.43) providerName=docker
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-traefik-9671b597b2681849626ea45dfe901e1fd6a641b0bb1fd25f9f183bda7c0e7ebb providerName=docker
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=database-nginx-89ffaf95a71f48f9a4a49b3e05542ed137279f0788cd5bec43a403bcb5dfd29e providerName=docker
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"routers":{"nginx":{"entryPoints":["http","https"],"middlewares":["redirect-to-https@file"],"priority":2,"rule":"Host(`pic.example.com`)","service":"nginx","tls":{"certResolver":"lets-encrypt"}}},"services":{"nginx":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://192.168.176.2:12345"}],"strategy":"wrr"}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:52Z WRN github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:182 > No domain found in rule HostRegexp(`{host:.+}`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2025-07-22T06:45:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:468 > No domain parsed in provider ACME ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme routerName=https-catchall@file rule=HostRegexp(`{host:.+}`)
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-catchall@file
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:320 > Creating load-balancer entryPointName=https routerName=https-nginx@docker serviceName=nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:363 > Creating server URL=http://192.168.176.2:12345 entryPointName=https routerName=https-nginx@docker serverIndex=0 serviceName=nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=https middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=https-nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=http middlewareName=redirect-to-https@file middlewareType=RedirectScheme routerName=nginx@docker
2025-07-22T06:45:53Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
...
The next log part 2/2 (due to the forum limit of 32,000 characters per message).