Can't use SSL with LETSENCRYPT: No ACME certificate generation required for domains

Dear all, I have the following configuration:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  # Optional, Default=false
  # insecureSkipVerify disables SSL certificate verification.
  insecureSkipVerify: false

log:
  level: "DEBUG"

entryPoints:
  web:
    address: ":80"
  web-secure:
    address: ":443"

api:
  insecure: true # enable WEB UI
  dashboard: true
  debug: true

providers:
  # providersThrottleDuration: 42
  docker:
    watch: true
    exposedByDefault: false
    useBindPortIP: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: "me+prod@mydomain.com"
      storage: "/letsencrypt/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: ovh

traefik compose file:

version: '3'

services:
  reverse-proxy:
    image: traefik:v2.1
    networks:
     - traefik-public
    environment:
      - "OVH_ENDPOINT=ovh-eu"
      - "OVH_APPLICATION_KEY=********"
      - "OVH_APPLICATION_SECRET=***********************"
      - "OVH_CONSUMER_KEY=***********************"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik.yaml:/etc/traefik/traefik.yaml"
      - "./letsencrypt:/letsencrypt"
      # uncomment only if staging environment
      # - "./staging/fakelerootx1.pem:/etc/ssl/certs/fakelerootx1.pem"

networks:
  traefik-public:
    external: true

The service compose:

version: '3'

services:
  whoami:
    image: containous/whoami
    networks:
     - traefik-public
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`traefik-testing.mydomain.com`)
      - traefik.http.routers.whoami.entrypoints=web-secure
      - traefik.http.routers.whoami.tls.certresolver=letsencrypt
networks:
  traefik-public:
    external: true

Result :

reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Provider event received {Status:start ID:ac742b2cd5f856ae16f1969d7b9ba34c25232da64edea1b5261788bd30930516 From:containous/whoami Type:container Action:start Actor:{ID:ac742b2cd5f856ae16f1969d7b9ba34c25232da64edea1b5261788bd30930516 Attributes:map[com.docker.compose.config-hash:b07aae9ad5fe32250640d7695726e9f85c03212dbc6638e0057d997d58c467ab com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:testing com.docker.compose.service:whoami com.docker.compose.version:1.24.1 image:containous/whoami name:testing_whoami_1 traefik.enable:true traefik.http.routers.whoami.entrypoints:web-secure traefik.http.routers.whoami.rule:Host(`traefik-testing.mydomain.com`) traefik.http.routers.whoami.tls.certresolver:letsencrypt]} Scope:local Time:1575996185 TimeNano:1575996185600614388}" providerName=docker
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=info msg="Unable to find a binding for container \"/testing_whoami_1\", falling back on its internal IP/Port." container=whoami-testing-ac742b2cd5f856ae16f1969d7b9ba34c25232da64edea1b5261788bd30930516 providerName=docker serviceName=whoami-testing
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Filtering disabled container" providerName=docker container=reverse-proxy-traefik-e6b210720f066ad66216a2c1f96e701d9dc4639663a6186d19e473adc07a4ec1
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"web-secure\"],\"service\":\"whoami-testing\",\"rule\":\"Host(`traefik-testing.mydomain.com`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}}},\"services\":{\"whoami-testing\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.24.0.3:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Adding certificate for domain(s) traefik-testing.mydomain.com"
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="No default certificate, generating one"
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:]+(:\\d+)?)/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder routerName=api@internal entryPointName=traefik
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Recovery middlewareName=traefik-internal-recovery
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Creating middleware" entryPointName=web-secure routerName=whoami@docker serviceName=whoami-testing middlewareType=Pipelining middlewareName=pipelining
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Creating load-balancer" entryPointName=web-secure routerName=whoami@docker serviceName=whoami-testing
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Creating server 0 http://172.24.0.3:80" entryPointName=web-secure routerName=whoami@docker serviceName=whoami-testing serverName=0
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Added outgoing tracing middleware whoami-testing" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web-secure routerName=whoami@docker
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Creating middleware" entryPointName=web-secure middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Try to challenge certificate for domain [traefik-testing.mydomain.com] found in HostSNI rule" providerName=letsencrypt.acme routerName=whoami@docker rule="Host(`traefik-testing.mydomain.com`)"
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="Looking for provided certificate(s) to validate [\"traefik-testing.mydomain.com\"]..." rule="Host(`traefik-testing.mydomain.com`)" providerName=letsencrypt.acme routerName=whoami@docker
reverse-proxy_1  | time="2019-12-10T16:43:05Z" level=debug msg="No ACME certificate generation required for domains [\"traefik-testing.mydomain.com\"]." routerName=whoami@docker rule="Host(`traefik-testing.mydomain.com`)" providerName=letsencrypt.acme

I am using traefik v2.1 docker image,

any idea what I am missing ? I have tested both, staging and prod, both time same result, the curl request produce:

curl -H 'Host: traefik-testing.mydomain.com' https://traefik-testing.mydomain.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
1 Like

I'm seeing something possibly related here, but I'm unsure if the problem is with acme, or with my DNS provider, (or something else entirely) and I don't see enough logging from either of these sources in order to diagnose with log.level=DEBUG set. Does different log formats yield greater verbosity, or is there separate logging for acme, or for the dnschallenge record setup? I recall in 1.x there was an acme.logging.

Right now I see the not entirely helpful "No ACME certificate generation required for domains" debug message.