Traefik: "No ACME certificate generation required for domains" in the logs while using the default cert

Question

I'm struggling with Let's Encrypt setup for my Docker Swarm. Traefik is started this way in my stack's compose file:

    image: traefik:v2.2
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    command:
      - --api
      - --log.level=DEBUG
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=traefik-public
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443

      - --certificatesResolvers.certbot=true
      - --certificatesResolvers.certbot.acme.httpChallenge=true
      - --certificatesResolvers.certbot.acme.httpChallenge.entrypoint=http
      - --certificatesResolvers.certbot.acme.email=${EMAIL?Variable EMAIL not set}
      - --certificatesResolvers.certbot.acme.storage=/certs/acme-v2.json
      - --certificatesResolvers.certbot.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

    ...networks, volumes...

    deploy:
      mode: replicated
      replicas: 1 # to avoid concurrency issues
      ...
      labels:
        - "traefik.docker.network=traefik-public"
        - "traefik.enable=true"
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
        - "traefik.http.routers.traefik.rule=Host(`traefik.my-domain.com`)"
        - "traefik.http.routers.traefik.entrypoints=http,https"
        - "traefik.http.routers.traefik.tls.certresolver=certbot"
        - "traefik.http.routers.traefik.middlewares=traefik-auth"
        - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}"

And I cannot get more than

level=debug msg="No ACME certificate generation required for domains [\"traefik.my-domain.com\"]." providerName=certbot.acme routerName=traefik@docker rule="Host(`traefik.my-domain.com`)"

I wonder why no ACME certificate is required while Firefox complains of getting the "TRAEFIK DEFAULT CERT" (Chromium also btw).

I also tried:

• Without the staging server of let's encrypt
• With a DNS challenge as I hope to make it work with wildcard *.my-domain.com for dev purpose (which works manually with certbot).
• Setting a traefik.my-domain.com DNS zone (to remove the wildcard case from the problem)
• Changed the mode "replicated" of the deploy with global as suggested here Traefik + Consul not generaitng SSL certificates in replicated mode, using TRAEFIK DEFAULT CERT
• I'm presently looking for a way to handle certificates renewal with Certbot directly on my servers...

Answer 1

For me it was the set default (custom) Cert, that was valid for the full domain, so traefik didn't request a specific acme/letsencrypt one, because it thought it already has one.

After disabling the custom default cert it worked instantly.

Answer 2

I've had same issue, and it helped me to change the volume where acme.json is stored. I think it's because Traefik sees that acme.json is not empty, he simply doesn't ask for new cert.

So if you're using something like:

command:
...
  - --certificatesResolvers.certbot.acme.storage=/certs/acme-v2.json
volumes:
  - "certs:/certs"

Try to use different volume:

command:
...
  - --certificatesResolvers.certbot.acme.storage=/letsencrypt/acme-v2.json
volumes:
  - "letsencrypt:/letsencrypt"