Let’s Encrypt

You can configure Traefik to use an ACME provider (like Let’s Encrypt) for automatic certificate generation.

Let’s Encrypt and Rate Limiting

Note that Let’s Encrypt API has rate limiting.

Use Let’s Encrypt staging server with the configuration option when experimenting to avoid hitting this limit too fast.

Traefik requires you to define “Certificate Resolvers” in the static configuration, which are responsible for retrieving certificates from an ACME server.

Then, each is configured to enable TLS, and is associated to a certificate resolver through the tls.certresolver configuration option.

Certificates are requested for domain names retrieved from the router’s .

You can read more about this retrieval mechanism in the following section: ACME Domain Definition.

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must it.

Configuration Reference

There are many available options for ACME. For a quick glance at what’s possible, browse the configuration reference:

File (TOML)

File (YAML)

certificatesResolvers:
  myresolver:
    # Enable ACME (Let's Encrypt): automatic SSL.
    acme:
      # Email address used for registration.
      #
      # Required
      #
      email: "test@example.com"
      # File or key used for certificates storage.
      #
      # Required
      #
      storage: "acme.json"
      # CA server to use.
      # Uncomment the line to use Let's Encrypt's staging server,
      # leave commented to go to prod.
      #
      # Optional
      # Default: "https://acme-v02.api.letsencrypt.org/directory"
      #
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      # Preferred chain to use.
      #
      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
      # If no match, the default offered chain will be used.
      #
      # Optional
      # Default: ""
      #
      # preferredChain: 'ISRG Root X1'
      # KeyType to use.
      #
      # Optional
      # Default: "RSA4096"
      #
      # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
      #
      # keyType: RSA4096
      # Use a TLS-ALPN-01 ACME challenge.
      #
      # Optional (but recommended)
      #
      tlsChallenge:
      # Use a HTTP-01 ACME challenge.
      #
      # Optional
      #
      # httpChallenge:
        # EntryPoint to use for the HTTP-01 challenges.
        #
        # Required
        #
        # entryPoint: web
      # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
      # Note: mandatory for wildcard certificate generation.
      #
      # Optional
      #
      # dnsChallenge:
        # DNS provider used.
        #
        # Required
        #
        # provider: digitalocean
        # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
        # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
        # Useful if internal networks block external DNS queries.
        #
        # Optional
        # Default: 0
        #
        # delayBeforeCheck: 0
        # Use following DNS servers to resolve the FQDN authority.
        #
        # Optional
        # Default: empty
        #
        # resolvers
        # - "1.1.1.1:53"
        # - "8.8.8.8:53"
        # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
        #
        # NOT RECOMMENDED:
        # Increase the risk of reaching Let's Encrypt's rate limits.
        #
        # Optional
        # Default: false
        #
        # disablePropagationCheck: true

CLI

# Enable ACME (Let's Encrypt): automatic SSL.
# Email address used for registration.
#
# Required
#
--certificatesresolvers.myresolver.acme.email=test@example.com
# File or key used for certificates storage.
#
# Required
#
--certificatesresolvers.myresolver.acme.storage=acme.json
# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
#
# Optional
# Default: "https://acme-v02.api.letsencrypt.org/directory"
#
--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
# Preferred chain to use.
#
# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
# If no match, the default offered chain will be used.
#
# Optional
# Default: ""
#
--certificatesresolvers.myresolver.acme.preferredchain="ISRG Root X1"
# KeyType to use.
#
# Optional
# Default: "RSA4096"
#
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
#
--certificatesresolvers.myresolver.acme.keytype=RSA4096
# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
--certificatesresolvers.myresolver.acme.tlschallenge=true
# Use a HTTP-01 ACME challenge.
#
# Optional
#
--certificatesresolvers.myresolver.acme.httpchallenge=true
# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
--certificatesresolvers.myresolver.acme.dnschallenge=true
#
# Required
#
--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
#
# NOT RECOMMENDED:
# Increase the risk of reaching Let's Encrypt's rate limits.
#
# Optional
# Default: false
#
--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

Domain Definition

Certificate resolvers request certificates for a set of the domain names inferred from routers, with the following logic:

• If the router has a option set, then the certificate resolver uses the main (and optionally sans) option of tls.domains to know the domain names for this router.

• If no tls.domains option is set, then the certificate resolver uses the , by checking the Host() matchers. Please note that multiple Host() matchers can be used) for specifying multiple domain names for this router.

Please note that:

• When multiple domain names are inferred from a given router, only one certificate is requested with the first domain name as the main domain, and the other domains as .

• As ACME V2 supports “wildcard domains”, any router can provide a name, as “main” domain or as “SAN” domain.

Please check the configuration examples below for more details.

Configuration Examples

Enabling ACME

File (TOML)

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.websecure]
    address = ":443"
[certificatesResolvers.myresolver.acme]
  email = "your-email@example.com"
  storage = "acme.json"
  [certificatesResolvers.myresolver.acme.httpChallenge]
    # used during the challenge
    entryPoint = "web"

File (YAML)

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
certificatesResolvers:
  myresolver:
    acme:
      email: your-email@example.com
      storage: acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

CLI

--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
# ...
--certificatesresolvers.myresolver.acme.email=your-email@example.com
--certificatesresolvers.myresolver.acme.storage=acme.json
# used during the challenge
--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must reference it.

Single Domain from Router’s Rule Example

• A certificate for the domain example.com is requested:

Docker

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver

Docker (Swarm)

## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=myresolver
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`example.com`) && Path(`/blog`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls:
    certResolver: myresolver

Marathon

labels: {
  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "myresolver",
}

Rancher

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver

File (TOML)

## Dynamic configuration
[http.routers]
  [http.routers.blog]
  rule = "Host(`example.com`) && Path(`/blog`)"
  [http.routers.blog.tls]
    certResolver = "myresolver"

File (YAML)

## Dynamic configuration
http:
  routers:
    blog:
      rule: "Host(`example.com`) && Path(`/blog`)"
      tls:
        certResolver: myresolver

Multiple Domains from Router’s Rule Example

• A certificate for the domains example.com (main) and blog.example.org is requested:

Docker

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver

Docker (Swarm)

## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=myresolver
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls:
    certResolver: myresolver

Marathon

labels: {
  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "myresolver",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}

Rancher

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver

File (YAML)

## Dynamic configuration
http:
  routers:
    blog:
      rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
      tls:
        certResolver: myresolver

Multiple Domains from Router’s tls.domain Example

• A certificate for the domains example.com (main) and *.example.org (SAN) is requested:

Docker

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
  - traefik.http.routers.blog.tls.domains[0].main=example.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

Docker (Swarm)

## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=myresolver
    - traefik.http.routers.blog.tls.domains[0].main=example.org
    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
    - websecure
  routes:
  - match: Host(`example.com`) && Path(`/blog`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls:
    certResolver: myresolver
    domains:
    - main: example.org
      sans:
      - '*.example.org'

Marathon

labels: {
  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "myresolver",
  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}

Rancher

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
  - traefik.http.routers.blog.tls.domains[0].main=example.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

File (TOML)

## Dynamic configuration
[http.routers]
  [http.routers.blog]
    rule = "Host(`example.com`) && Path(`/blog`)"
    [http.routers.blog.tls]
      certResolver = "myresolver" # From static configuration
      [[http.routers.blog.tls.domains]]
        main = "example.org"
        sans = ["*.example.org"]

File (YAML)

## Dynamic configuration
http:
  routers:
    blog:
      rule: "Host(`example.com`) && Path(`/blog`)"
      tls:
        certResolver: myresolver
        domains:
          - main: "example.org"
            sans:
              - "*.example.org"

Traefik automatically tracks the expiry date of ACME certificates it generates.

If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.

Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.

Using LetsEncrypt with Kubernetes

When using LetsEncrypt with kubernetes, there are some known caveats with both the ingress and providers.

If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.

The Different ACME Challenges

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must it.

Use the TLS-ALPN-01 challenge to generate and renew ACME certificates by provisioning a TLS certificate.

As described on the Let’s Encrypt community forum, when using the TLS-ALPN-01 challenge, Traefik must be reachable by Let’s Encrypt through port 443.

Configuring the tlsChallenge

File (TOML)

[certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.tlsChallenge]

File (YAML)

certificatesResolvers:
  myresolver:
    acme:
      # ...
      tlsChallenge: {}

CLI

# ...
--certificatesresolvers.myresolver.acme.tlschallenge=true

httpChallenge

Use the HTTP-01 challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.

As described on the Let’s Encrypt community forum, when using the HTTP-01 challenge, certificatesresolvers.myresolver.acme.httpchallenge.entrypoint must be reachable by Let’s Encrypt through port 80.

Using an EntryPoint Called web for the httpChallenge

File (TOML)

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.websecure]
    address = ":443"
[certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.httpChallenge]
    entryPoint = "web"

File (YAML)

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
certificatesResolvers:
  myresolver:
    acme:
      # ...
      httpChallenge:
        entryPoint: web

CLI

--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
# ...
--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

Redirection is fully compatible with the HTTP-01 challenge.

Use the DNS-01 challenge to generate and renew ACME certificates by provisioning a DNS record.

Configuring a dnsChallenge with the DigitalOcean Provider

File (TOML)

[certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    provider = "digitalocean"
    delayBeforeCheck = 0
# ...

File (YAML)

certificatesResolvers:
  myresolver:
    acme:
      # ...
      dnsChallenge:
        provider: digitalocean
        delayBeforeCheck: 0
    # ...

CLI

# ...
--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
# ...

Important

A provider is mandatory.

providers

Here is a list of supported providers, that can automate the DNS verification, along with the required environment variables and their wildcard & root domain support. Do not hesitate to complete it.

Many lego environment variables can be overridden by their respective _FILE counterpart, which should have a filepath to a file that contains the secret as its value. For example, CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email could be used to provide a Cloudflare API email address as a Docker secret named traefik_cf-api-email.

For complete details, refer to your provider’s Additional configuration link.

delayBeforeCheck

By default, the provider verifies the TXT record before letting ACME verify. You can delay this operation by specifying a delay (in seconds) with delayBeforeCheck (value must be greater than zero). This option is useful when internal networks block external DNS queries.

resolvers

File (TOML)

File (YAML)

certificatesResolvers:
  myresolver:
    acme:
      # ...
      dnsChallenge:
        # ...
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

CLI

# ...
--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53

Wildcard Domains

supports wildcard certificates. As described in Let’s Encrypt’s post wildcard certificates can only be generated through a .

• kid: Key identifier from External CA
• hmacEncoded: HMAC key from External CA, should be in Base64 URL Encoding without padding format

File (TOML)

[certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.eab]
    kid = "abc-keyID-xyz"
    hmacEncoded = "abc-hmac-xyz"

File (YAML)

certificatesResolvers:
  myresolver:
    acme:
      # ...
      eab:
        kid: abc-keyID-xyz
        hmacEncoded: abc-hmac-xyz

CLI

# ...
--certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
--certificatesresolvers.myresolver.acme.eab.hmacencoded=abc-hmac-xyz

More Configuration

caServer

Required, Default=”https://acme-v02.api.letsencrypt.org/directory“

The CA server to use:

• Let’s Encrypt production server:
• Let’s Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory

Using the Let’s Encrypt staging server

File (TOML)

[certificatesResolvers.myresolver.acme]
  # ...
  caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  # ...

File (YAML)

certificatesResolvers:
  myresolver:
    acme:
      # ...
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      # ...

CLI

# ...
--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
# ...

Required, Default=”acme.json”

The storage option sets the location where your ACME certificates are saved to.

File (TOML)

[certificatesResolvers.myresolver.acme]
  # ...
  storage = "acme.json"
  # ...

File (YAML)

certificatesResolvers:
  myresolver:
    acme:
      # ...
      storage: acme.json
      # ...

CLI

# ...
--certificatesresolvers.myresolver.acme.storage=acme.json
# ...

ACME certificates are stored in a JSON file that needs to have a 600 file mode.

In Docker you can mount either the JSON file, or the folder containing it:

docker run -v "/my/host/acme.json:/acme.json" traefik

docker run -v "/my/host/acme:/etc/traefik/acme" traefik

Warning

For concurrency reasons, this file cannot be shared across multiple instances of Traefik.

preferredChain

Optional, Default=””

Preferred chain to use.

If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.

File (TOML)

[certificatesResolvers.myresolver.acme]
  # ...
  preferredChain = "ISRG Root X1"
  # ...

File (YAML)

certificatesResolvers:
  myresolver:
    acme:
      # ...
      preferredChain: 'ISRG Root X1'
      # ...

CLI

# ...
--certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
# ...

Optional, Default=”RSA4096”

KeyType used for generating certificate private key. Allow value ‘EC256’, ‘EC384’, ‘RSA2048’, ‘RSA4096’, ‘RSA8192’.

File (TOML)

[certificatesResolvers.myresolver.acme]
  # ...
  keyType = "RSA4096"
  # ...

File (YAML)

CLI

# ...
--certificatesresolvers.myresolver.acme.keyType="RSA4096"
# ...

Fallback

If Let’s Encrypt is not reachable, the following certificates will apply:

1. Previously generated ACME certificates (before downtime)
2. Expired ACME certificates
3. Provided certificates

Important

For new (sub)domains which need Let’s Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

1. more information about the HTTP message format can be found ↩

2. ↩

3. ↩

4. docker stack remark: there is no way to support terminal attached to container when deploying with docker stack, so you might need to run container with docker run -it to generate certificates using manual provider.