Let’s Encrypt

Automatic HTTPS

You can configure Traefik to use an ACME provider (like Let’s Encrypt) for automatic certificate generation.

Let’s Encrypt and Rate Limiting

Note that Let’s Encrypt API has rate limiting.

Use Let’s Encrypt staging server with the caServer configuration option when experimenting to avoid hitting this limit too fast.

Certificate Resolvers

Traefik requires you to define “Certificate Resolvers” in the static configuration, which are responsible for retrieving certificates from an ACME server.

Then, each “router” is configured to enable TLS, and is associated to a certificate resolver through the tls.certresolver configuration option.

Certificates are requested for domain names retrieved from the router’s dynamic configuration.

You can read more about this retrieval mechanism in the following section: ACME Domain Definition.

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must reference it.

Configuration Reference

There are many available options for ACME. For a quick glance at what’s possible, browse the configuration reference:

File (TOML)

  1. # Enable ACME (Let's Encrypt): automatic SSL.
  2. [certificatesResolvers.myresolver.acme]
  4.   # Email address used for registration.
  5.   #
  6.   # Required
  7.   #
  8.   email = "test@example.com"
  10.   # File or key used for certificates storage.
  11.   #
  12.   # Required
  13.   #
  14.   storage = "acme.json"
  16.   # CA server to use.
  17.   # Uncomment the line to use Let's Encrypt's staging server,
  18.   # leave commented to go to prod.
  19.   #
  20.   # Optional
  21.   # Default: "https://acme-v02.api.letsencrypt.org/directory"
  22.   #
  23.   # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  25.   # Preferred chain to use.
  26.   #
  27.   # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
  28.   # If no match, the default offered chain will be used.
  29.   #
  30.   # Optional
  31.   # Default: ""
  32.   #
  33.   # preferredChain = "ISRG Root X1"
  35.   # KeyType to use.
  36.   #
  37.   # Optional
  38.   # Default: "RSA4096"
  39.   #
  40.   # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
  41.   #
  42.   # keyType = "RSA4096"
  44.   # Use a TLS-ALPN-01 ACME challenge.
  45.   #
  46.   # Optional (but recommended)
  47.   #
  48.   [certificatesResolvers.myresolver.acme.tlsChallenge]
  50.   # Use a HTTP-01 ACME challenge.
  51.   #
  52.   # Optional
  53.   #
  54.   # [certificatesResolvers.myresolver.acme.httpChallenge]
  56.     # EntryPoint to use for the HTTP-01 challenges.
  57.     #
  58.     # Required
  59.     #
  60.     # entryPoint = "web"
  62.   # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
  63.   # Note: mandatory for wildcard certificate generation.
  64.   #
  65.   # Optional
  66.   #
  67.   # [certificatesResolvers.myresolver.acme.dnsChallenge]
  69.     # DNS provider used.
  70.     #
  71.     # Required
  72.     #
  73.     # provider = "digitalocean"
  75.     # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
  76.     # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
  77.     # Useful if internal networks block external DNS queries.
  78.     #
  79.     # Optional
  80.     # Default: 0
  81.     #
  82.     # delayBeforeCheck = 0
  84.     # Use following DNS servers to resolve the FQDN authority.
  85.     #
  86.     # Optional
  87.     # Default: empty
  88.     #
  89.     # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
  91.     # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
  92.     #
  93.     # NOT RECOMMENDED:
  94.     # Increase the risk of reaching Let's Encrypt's rate limits.
  95.     #
  96.     # Optional
  97.     # Default: false
  98.     #
  99.     # disablePropagationCheck = true

File (YAML)

  1. certificatesResolvers:
  2.   myresolver:
  3.     # Enable ACME (Let's Encrypt): automatic SSL.
  4.     acme:
  6.       # Email address used for registration.
  7.       #
  8.       # Required
  9.       #
  10.       email: "test@example.com"
  12.       # File or key used for certificates storage.
  13.       #
  14.       # Required
  15.       #
  16.       storage: "acme.json"
  18.       # CA server to use.
  19.       # Uncomment the line to use Let's Encrypt's staging server,
  20.       # leave commented to go to prod.
  21.       #
  22.       # Optional
  23.       # Default: "https://acme-v02.api.letsencrypt.org/directory"
  24.       #
  25.       # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
  27.       # Preferred chain to use.
  28.       #
  29.       # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
  30.       # If no match, the default offered chain will be used.
  31.       #
  32.       # Optional
  33.       # Default: ""
  34.       #
  35.       # preferredChain: 'ISRG Root X1'
  37.       # KeyType to use.
  38.       #
  39.       # Optional
  40.       # Default: "RSA4096"
  41.       #
  42.       # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
  43.       #
  44.       # keyType: RSA4096
  46.       # Use a TLS-ALPN-01 ACME challenge.
  47.       #
  48.       # Optional (but recommended)
  49.       #
  50.       tlsChallenge:
  52.       # Use a HTTP-01 ACME challenge.
  53.       #
  54.       # Optional
  55.       #
  56.       # httpChallenge:
  58.         # EntryPoint to use for the HTTP-01 challenges.
  59.         #
  60.         # Required
  61.         #
  62.         # entryPoint: web
  64.       # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
  65.       # Note: mandatory for wildcard certificate generation.
  66.       #
  67.       # Optional
  68.       #
  69.       # dnsChallenge:
  71.         # DNS provider used.
  72.         #
  73.         # Required
  74.         #
  75.         # provider: digitalocean
  77.         # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
  78.         # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
  79.         # Useful if internal networks block external DNS queries.
  80.         #
  81.         # Optional
  82.         # Default: 0
  83.         #
  84.         # delayBeforeCheck: 0
  86.         # Use following DNS servers to resolve the FQDN authority.
  87.         #
  88.         # Optional
  89.         # Default: empty
  90.         #
  91.         # resolvers
  92.         # - "1.1.1.1:53"
  93.         # - "8.8.8.8:53"
  95.         # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
  96.         #
  97.         # NOT RECOMMENDED:
  98.         # Increase the risk of reaching Let's Encrypt's rate limits.
  99.         #
  100.         # Optional
  101.         # Default: false
  102.         #
  103.         # disablePropagationCheck: true

CLI

  1. # Enable ACME (Let's Encrypt): automatic SSL.
  3. # Email address used for registration.
  4. #
  5. # Required
  6. #
  7. --certificatesresolvers.myresolver.acme.email=test@example.com
  9. # File or key used for certificates storage.
  10. #
  11. # Required
  12. #
  13. --certificatesresolvers.myresolver.acme.storage=acme.json
  15. # CA server to use.
  16. # Uncomment the line to use Let's Encrypt's staging server,
  17. # leave commented to go to prod.
  18. #
  19. # Optional
  20. # Default: "https://acme-v02.api.letsencrypt.org/directory"
  21. #
  22. --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
  24. # Preferred chain to use.
  25. #
  26. # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
  27. # If no match, the default offered chain will be used.
  28. #
  29. # Optional
  30. # Default: ""
  31. #
  32. --certificatesresolvers.myresolver.acme.preferredchain="ISRG Root X1"
  34. # KeyType to use.
  35. #
  36. # Optional
  37. # Default: "RSA4096"
  38. #
  39. # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
  40. #
  41. --certificatesresolvers.myresolver.acme.keytype=RSA4096
  43. # Use a TLS-ALPN-01 ACME challenge.
  44. #
  45. # Optional (but recommended)
  46. #
  47. --certificatesresolvers.myresolver.acme.tlschallenge=true
  49. # Use a HTTP-01 ACME challenge.
  50. #
  51. # Optional
  52. #
  53. --certificatesresolvers.myresolver.acme.httpchallenge=true
  55. # EntryPoint to use for the HTTP-01 challenges.
  56. #
  57. # Required
  58. #
  59. --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
  61. # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
  62. # Note: mandatory for wildcard certificate generation.
  63. #
  64. # Optional
  65. #
  66. --certificatesresolvers.myresolver.acme.dnschallenge=true
  68. # DNS provider used.
  69. #
  70. # Required
  71. #
  72. --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
  74. # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
  75. # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
  76. # Useful if internal networks block external DNS queries.
  77. #
  78. # Optional
  79. # Default: 0
  80. #
  81. --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
  83. # Use following DNS servers to resolve the FQDN authority.
  84. #
  85. # Optional
  86. # Default: empty
  87. #
  88. --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
  90. # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
  91. #
  92. # NOT RECOMMENDED:
  93. # Increase the risk of reaching Let's Encrypt's rate limits.
  94. #
  95. # Optional
  96. # Default: false
  97. #
  98. --certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

Domain Definition

Certificate resolvers request certificates for a set of the domain names inferred from routers, with the following logic:

  • If the router has a tls.domains option set, then the certificate resolver uses the main (and optionally sans) option of tls.domains to know the domain names for this router.

  • If no tls.domains option is set, then the certificate resolver uses the router’s rule, by checking the Host() matchers. Please note that multiple Host() matchers can be used) for specifying multiple domain names for this router.

Please note that:

Please check the configuration examples below for more details.

Configuration Examples

Enabling ACME

File (TOML)

  1. [entryPoints]
  2.   [entryPoints.web]
  3.     address = ":80"
  5.   [entryPoints.websecure]
  6.     address = ":443"
  8. [certificatesResolvers.myresolver.acme]
  9.   email = "your-email@example.com"
  10.   storage = "acme.json"
  11.   [certificatesResolvers.myresolver.acme.httpChallenge]
  12.     # used during the challenge
  13.     entryPoint = "web"

File (YAML)

  1. entryPoints:
  2.   web:
  3.     address: ":80"
  5.   websecure:
  6.     address: ":443"
  8. certificatesResolvers:
  9.   myresolver:
  10.     acme:
  11.       email: your-email@example.com
  12.       storage: acme.json
  13.       httpChallenge:
  14.         # used during the challenge
  15.         entryPoint: web

CLI

  1. --entrypoints.web.address=:80
  2. --entrypoints.websecure.address=:443
  3. # ...
  4. --certificatesresolvers.myresolver.acme.email=your-email@example.com
  5. --certificatesresolvers.myresolver.acme.storage=acme.json
  6. # used during the challenge
  7. --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must reference it.

Single Domain from Router’s Rule Example

  • A certificate for the domain example.com is requested:

    Docker

  1. ## Dynamic configuration
  2. labels:
  3.   - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  4.   - traefik.http.routers.blog.tls=true
  5.   - traefik.http.routers.blog.tls.certresolver=myresolver

Docker (Swarm)

  1. ## Dynamic configuration
  2. deploy:
  3.   labels:
  4.     - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  5.     - traefik.http.routers.blog.tls=true
  6.     - traefik.http.routers.blog.tls.certresolver=myresolver
  7.     - traefik.http.services.blog-svc.loadbalancer.server.port=8080"

Kubernetes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4.   name: blogtls
  5. spec:
  6.   entryPoints:
  7.     - websecure
  8.   routes:
  9.   - match: Host(`example.com`) && Path(`/blog`)
  10.     kind: Rule
  11.     services:
  12.     - name: blog
  13.       port: 8080
  14.   tls:
  15.     certResolver: myresolver

Marathon

  1. labels: {
  2.   "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
  3.   "traefik.http.routers.blog.tls": "true",
  4.   "traefik.http.routers.blog.tls.certresolver": "myresolver",
  5.   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
  6. }

Rancher

  1. ## Dynamic configuration
  2. labels:
  3.   - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  4.   - traefik.http.routers.blog.tls=true
  5.   - traefik.http.routers.blog.tls.certresolver=myresolver

File (TOML)

  1. ## Dynamic configuration
  2. [http.routers]
  3.   [http.routers.blog]
  4.   rule = "Host(`example.com`) && Path(`/blog`)"
  5.   [http.routers.blog.tls]
  6.     certResolver = "myresolver"

File (YAML)

  1. ## Dynamic configuration
  2. http:
  3.   routers:
  4.     blog:
  5.       rule: "Host(`example.com`) && Path(`/blog`)"
  6.       tls:
  7.         certResolver: myresolver

Multiple Domains from Router’s Rule Example

  • A certificate for the domains example.com (main) and blog.example.org is requested:

    Docker

  1. ## Dynamic configuration
  2. labels:
  3.   - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  4.   - traefik.http.routers.blog.tls=true
  5.   - traefik.http.routers.blog.tls.certresolver=myresolver

Docker (Swarm)

  1. ## Dynamic configuration
  2. deploy:
  3.   labels:
  4.     - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  5.     - traefik.http.routers.blog.tls=true
  6.     - traefik.http.routers.blog.tls.certresolver=myresolver
  7.     - traefik.http.services.blog-svc.loadbalancer.server.port=8080"

Kubernetes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4.   name: blogtls
  5. spec:
  6.   entryPoints:
  7.     - websecure
  8.   routes:
  9.   - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  10.     kind: Rule
  11.     services:
  12.     - name: blog
  13.       port: 8080
  14.   tls:
  15.     certResolver: myresolver

Marathon

  1. labels: {
  2.   "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
  3.   "traefik.http.routers.blog.tls": "true",
  4.   "traefik.http.routers.blog.tls.certresolver": "myresolver",
  5.   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
  6. }

Rancher

  1. ## Dynamic configuration
  2. labels:
  3.   - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  4.   - traefik.http.routers.blog.tls=true
  5.   - traefik.http.routers.blog.tls.certresolver=myresolver

File (TOML)

  1. ## Dynamic configuration
  2. [http.routers]
  3.   [http.routers.blog]
  4.     rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
  5.     [http.routers.blog.tls]
  6.       certResolver = "myresolver"

File (YAML)

  1. ## Dynamic configuration
  2. http:
  3.   routers:
  4.     blog:
  5.       rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
  6.       tls:
  7.         certResolver: myresolver

Multiple Domains from Router’s tls.domain Example

  • A certificate for the domains example.com (main) and *.example.org (SAN) is requested:

    Docker

  1. ## Dynamic configuration
  2. labels:
  3.   - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  4.   - traefik.http.routers.blog.tls=true
  5.   - traefik.http.routers.blog.tls.certresolver=myresolver
  6.   - traefik.http.routers.blog.tls.domains[0].main=example.org
  7.   - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

Docker (Swarm)

  1. ## Dynamic configuration
  2. deploy:
  3.   labels:
  4.     - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  5.     - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
  6.     - traefik.http.routers.blog.tls=true
  7.     - traefik.http.routers.blog.tls.certresolver=myresolver
  8.     - traefik.http.routers.blog.tls.domains[0].main=example.org
  9.     - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

Kubernetes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4.   name: blogtls
  5. spec:
  6.   entryPoints:
  7.     - websecure
  8.   routes:
  9.   - match: Host(`example.com`) && Path(`/blog`)
  10.     kind: Rule
  11.     services:
  12.     - name: blog
  13.       port: 8080
  14.   tls:
  15.     certResolver: myresolver
  16.     domains:
  17.     - main: example.org
  18.       sans:
  19.       - '*.example.org'

Marathon

  1. labels: {
  2.   "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
  3.   "traefik.http.routers.blog.tls": "true",
  4.   "traefik.http.routers.blog.tls.certresolver": "myresolver",
  5.   "traefik.http.routers.blog.tls.domains[0].main": "example.com",
  6.   "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
  7.   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
  8. }

Rancher

  1. ## Dynamic configuration
  2. labels:
  3.   - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  4.   - traefik.http.routers.blog.tls=true
  5.   - traefik.http.routers.blog.tls.certresolver=myresolver
  6.   - traefik.http.routers.blog.tls.domains[0].main=example.org
  7.   - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

File (TOML)

  1. ## Dynamic configuration
  2. [http.routers]
  3.   [http.routers.blog]
  4.     rule = "Host(`example.com`) && Path(`/blog`)"
  5.     [http.routers.blog.tls]
  6.       certResolver = "myresolver" # From static configuration
  7.       [[http.routers.blog.tls.domains]]
  8.         main = "example.org"
  9.         sans = ["*.example.org"]

File (YAML)

  1. ## Dynamic configuration
  2. http:
  3.   routers:
  4.     blog:
  5.       rule: "Host(`example.com`) && Path(`/blog`)"
  6.       tls:
  7.         certResolver: myresolver
  8.         domains:
  9.           - main: "example.org"
  10.             sans:
  11.               - "*.example.org"

Automatic Renewals

Traefik automatically tracks the expiry date of ACME certificates it generates.

If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.

Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.

Using LetsEncrypt with Kubernetes

When using LetsEncrypt with kubernetes, there are some known caveats with both the ingress and crd providers.

If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.

The Different ACME Challenges

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must reference it.

tlsChallenge

Use the TLS-ALPN-01 challenge to generate and renew ACME certificates by provisioning a TLS certificate.

As described on the Let’s Encrypt community forum, when using the TLS-ALPN-01 challenge, Traefik must be reachable by Let’s Encrypt through port 443.

Configuring the tlsChallenge

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2.   # ...
  3.   [certificatesResolvers.myresolver.acme.tlsChallenge]

File (YAML)

  1. certificatesResolvers:
  2.   myresolver:
  3.     acme:
  4.       # ...
  5.       tlsChallenge: {}

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.tlschallenge=true

httpChallenge

Use the HTTP-01 challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.

As described on the Let’s Encrypt community forum, when using the HTTP-01 challenge, certificatesresolvers.myresolver.acme.httpchallenge.entrypoint must be reachable by Let’s Encrypt through port 80.

Using an EntryPoint Called web for the httpChallenge

File (TOML)

  1. [entryPoints]
  2.   [entryPoints.web]
  3.     address = ":80"
  5.   [entryPoints.websecure]
  6.     address = ":443"
  8. [certificatesResolvers.myresolver.acme]
  9.   # ...
  10.   [certificatesResolvers.myresolver.acme.httpChallenge]
  11.     entryPoint = "web"

File (YAML)

  1. entryPoints:
  2.   web:
  3.     address: ":80"
  5.   websecure:
  6.     address: ":443"
  8. certificatesResolvers:
  9.   myresolver:
  10.     acme:
  11.       # ...
  12.       httpChallenge:
  13.         entryPoint: web

CLI

  1. --entrypoints.web.address=:80
  2. --entrypoints.websecure.address=:443
  3. # ...
  4. --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

Redirection is fully compatible with the HTTP-01 challenge.

dnsChallenge

Use the DNS-01 challenge to generate and renew ACME certificates by provisioning a DNS record.

Configuring a dnsChallenge with the DigitalOcean Provider

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2.   # ...
  3.   [certificatesResolvers.myresolver.acme.dnsChallenge]
  4.     provider = "digitalocean"
  5.     delayBeforeCheck = 0
  6. # ...

File (YAML)

  1. certificatesResolvers:
  2.   myresolver:
  3.     acme:
  4.       # ...
  5.       dnsChallenge:
  6.         provider: digitalocean
  7.         delayBeforeCheck: 0
  8.     # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
  3. --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
  4. # ...

Important

A provider is mandatory.

providers

Here is a list of supported providers, that can automate the DNS verification, along with the required environment variables and their wildcard & root domain support. Do not hesitate to complete it.

Many lego environment variables can be overridden by their respective _FILE counterpart, which should have a filepath to a file that contains the secret as its value. For example, CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email could be used to provide a Cloudflare API email address as a Docker secret named traefik_cf-api-email.

For complete details, refer to your provider’s Additional configuration link.

Provider NameProvider CodeEnvironment Variables
ACME DNSacme-dnsACME_DNS_API_BASE, ACME_DNS_STORAGE_PATHAdditional configuration
Alibaba CloudalidnsALICLOUD_ACCESS_KEY, ALICLOUD_SECRET_KEY, ALICLOUD_REGION_IDAdditional configuration
ArvanCloudarvancloudARVANCLOUD_API_KEYAdditional configuration
AuroradnsauroradnsAURORA_USER_ID, AURORA_KEY, AURORA_ENDPOINTAdditional configuration
AutodnsautodnsAUTODNS_API_USER, AUTODNS_API_PASSWORDAdditional configuration
AzureazureAZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESOURCE_GROUP, [AZURE_METADATA_ENDPOINT]Additional configuration
BindmanbindmanBINDMAN_MANAGER_ADDRESSAdditional configuration
Blue CatbluecatBLUECAT_SERVER_URL, BLUECAT_USER_NAME, BLUECAT_PASSWORD, BLUECAT_CONFIG_NAME, BLUECAT_DNS_VIEWAdditional configuration
CheckdomaincheckdomainCHECKDOMAIN_TOKEN,Additional configuration
CloudDNSclouddnsCLOUDDNS_CLIENT_ID, CLOUDDNS_EMAIL, CLOUDDNS_PASSWORDAdditional configuration
ClouDNScloudnsCLOUDNS_AUTH_ID, CLOUDNS_AUTH_PASSWORDAdditional configuration
CloudflarecloudflareCF_API_EMAIL, CF_API_KEY 5 or CF_DNS_API_TOKEN, [CF_ZONE_API_TOKEN]Additional configuration
CloudXNScloudxnsCLOUDXNS_API_KEY, CLOUDXNS_SECRET_KEYAdditional configuration
ConoHaconohaCONOHA_TENANT_ID, CONOHA_API_USERNAME, CONOHA_API_PASSWORDAdditional configuration
ConstellixconstellixCONSTELLIX_API_KEY, CONSTELLIX_SECRET_KEYAdditional configuration
deSECdesecDESEC_TOKENAdditional configuration
DigitalOceandigitaloceanDO_AUTH_TOKENAdditional configuration
DNSimplednsimpleDNSIMPLE_OAUTH_TOKEN, DNSIMPLE_BASE_URLAdditional configuration
DNS Made EasydnsmadeeasyDNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET, DNSMADEEASY_SANDBOXAdditional configuration
DNSPoddnspodDNSPOD_API_KEYAdditional configuration
Domain Offensive (do.de)dodeDODE_TOKENAdditional configuration
DreamHostdreamhostDREAMHOST_API_KEYAdditional configuration
Duck DNSduckdnsDUCKDNS_TOKENAdditional configuration
DyndynDYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORDAdditional configuration
DynudynuDYNU_API_KEYAdditional configuration
EasyDNSeasydnsEASYDNS_TOKEN, EASYDNS_KEYAdditional configuration
EdgeDNSedgednsAKAMAI_CLIENT_TOKEN, AKAMAI_CLIENT_SECRET, AKAMAI_ACCESS_TOKENAdditional configuration
External ProgramexecEXEC_PATHAdditional configuration
ExoscaleexoscaleEXOSCALE_API_KEY, EXOSCALE_API_SECRET, EXOSCALE_ENDPOINTAdditional configuration
Fast DNSfastdnsAKAMAI_CLIENT_TOKEN, AKAMAI_CLIENT_SECRET, AKAMAI_ACCESS_TOKENAdditional configuration
GandigandiGANDI_API_KEYAdditional configuration
Gandi v5gandiv5GANDIV5_API_KEYAdditional configuration
GlesysglesysGLESYS_API_USER, GLESYS_API_KEY, GLESYS_DOMAINAdditional configuration
GoDaddygodaddyGODADDY_API_KEY, GODADDY_API_SECRETAdditional configuration
Google Cloud DNSgcloudGCE_PROJECT, Application Default Credentials 2 3, [GCE_SERVICE_ACCOUNT_FILE]Additional configuration
HetznerhetznerHETZNER_API_KEYAdditional configuration
hosting.dehostingdeHOSTINGDE_API_KEY, HOSTINGDE_ZONE_NAMEAdditional configuration
HTTP requesthttpreqHTTPREQ_ENDPOINT, HTTPREQ_MODE, HTTPREQ_USERNAME, HTTPREQ_PASSWORD 1Additional configuration
HyperOnehyperoneHYPERONE_PASSPORT_LOCATION, HYPERONE_LOCATION_IDAdditional configuration
IIJiijIIJ_API_ACCESS_KEY, IIJ_API_SECRET_KEY, IIJ_DO_SERVICE_CODEAdditional configuration
INWXinwxINWX_USERNAME, INWX_PASSWORDAdditional configuration
Joker.comjokerJOKER_API_KEY or JOKER_USERNAME, JOKER_PASSWORDAdditional configuration
LightsaillightsailAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DNS_ZONEAdditional configuration
Linode v4linodeLINODE_TOKENAdditional configuration
Liquid WebliquidwebLIQUID_WEB_PASSWORD, LIQUID_WEB_USERNAME, LIQUID_WEB_ZONEAdditional configuration
LuaDNSluadnsLUADNS_API_USERNAME, LUADNS_API_TOKENAdditional configuration
manualmanualnone, but you need to run Traefik interactively 4, turn on debug log to see instructions and press Enter.
MyDNS.jpmydnsjpMYDNSJP_MASTER_ID, MYDNSJP_PASSWORDAdditional configuration
Mythic BeastsmythicbeastsMYTHICBEASTS_USER_NAME, MYTHICBEASTS_PASSWORDAdditional configuration
NamecheapnamecheapNAMECHEAP_API_USER, NAMECHEAP_API_KEYAdditional configuration
name.comnamedotcomNAMECOM_USERNAME, NAMECOM_API_TOKEN, NAMECOM_SERVERAdditional configuration
NamesilonamesiloNAMESILO_API_KEYAdditional configuration
NetcupnetcupNETCUP_CUSTOMER_NUMBER, NETCUP_API_KEY, NETCUP_API_PASSWORDAdditional configuration
NetlifynetlifyNETLIFY_TOKENAdditional configuration
NIFCloudnifcloudNIFCLOUD_ACCESS_KEY_ID, NIFCLOUD_SECRET_ACCESS_KEYAdditional configuration
NS1ns1NS1_API_KEYAdditional configuration
Open Telekom CloudotcOTC_DOMAIN_NAME, OTC_USER_NAME, OTC_PASSWORD, OTC_PROJECT_NAME, OTC_IDENTITY_ENDPOINTAdditional configuration
OVHovhOVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEYAdditional configuration
Openstack DesignatedesignateOS_AUTH_URL, OS_USERNAME, OS_PASSWORD, OS_TENANT_NAME, OS_REGION_NAMEAdditional configuration
Oracle CloudoraclecloudOCI_COMPARTMENT_OCID, OCI_PRIVKEY_FILE, OCI_PRIVKEY_PASS, OCI_PUBKEY_FINGERPRINT, OCI_REGION, OCI_TENANCY_OCID, OCI_USER_OCIDAdditional configuration
PowerDNSpdnsPDNS_API_KEY, PDNS_API_URLAdditional configuration
RackspacerackspaceRACKSPACE_USER, RACKSPACE_API_KEYAdditional configuration
reg.ruregruREGRU_USERNAME, REGRU_PASSWORDAdditional configuration
RFC2136rfc2136RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVERAdditional configuration
Route 53route53AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_REGION], [AWS_HOSTED_ZONE_ID] or a configured user/instance IAM profile.Additional configuration
RimuHostingrimuhostingRIMUHOSTING_API_KEYAdditional configuration
Sakura CloudsakuracloudSAKURACLOUD_ACCESS_TOKEN, SAKURACLOUD_ACCESS_TOKEN_SECRETAdditional configuration
ScalewayscalewaySCALEWAY_API_TOKENAdditional configuration
SelectelselectelSELECTEL_API_TOKENAdditional configuration
ServercowservercowSERVERCOW_USERNAME, SERVERCOW_PASSWORDAdditional configuration
StackpathstackpathSTACKPATH_CLIENT_ID, STACKPATH_CLIENT_SECRET, STACKPATH_STACK_IDAdditional configuration
TransIPtransipTRANSIP_ACCOUNT_NAME, TRANSIP_PRIVATE_KEY_PATHAdditional configuration
VegaDNSvegadnsSECRET_VEGADNS_KEY, SECRET_VEGADNS_SECRET, VEGADNS_URLAdditional configuration
VersioversioVERSIO_USERNAME, VERSIO_PASSWORDAdditional configuration
VscalevscaleVSCALE_API_TOKENAdditional configuration
VULTRvultrVULTR_API_KEYAdditional configuration
YandexyandexYANDEX_PDD_TOKENAdditional configuration
Zone.eezoneeeZONEEE_API_USER, ZONEEE_API_KEYAdditional configuration
ZonomizonomiZONOMI_API_KEYAdditional configuration

delayBeforeCheck

By default, the provider verifies the TXT record before letting ACME verify. You can delay this operation by specifying a delay (in seconds) with delayBeforeCheck (value must be greater than zero). This option is useful when internal networks block external DNS queries.

resolvers

Use custom DNS servers to resolve the FQDN authority.

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2.   # ...
  3.   [certificatesResolvers.myresolver.acme.dnsChallenge]
  4.     # ...
  5.     resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

File (YAML)

  1. certificatesResolvers:
  2.   myresolver:
  3.     acme:
  4.       # ...
  5.       dnsChallenge:
  6.         # ...
  7.         resolvers:
  8.           - "1.1.1.1:53"
  9.           - "8.8.8.8:53"

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53

Wildcard Domains

ACME V2 supports wildcard certificates. As described in Let’s Encrypt’s post wildcard certificates can only be generated through a DNS-01 challenge.

More Configuration

caServer

Required, Default=”https://acme-v02.api.letsencrypt.org/directory

The CA server to use:

Using the Let’s Encrypt staging server

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2.   # ...
  3.   caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  4.   # ...

File (YAML)

  1. certificatesResolvers:
  2.   myresolver:
  3.     acme:
  4.       # ...
  5.       caServer: https://acme-staging-v02.api.letsencrypt.org/directory
  6.       # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
  3. # ...

storage

Required, Default=”acme.json”

The storage option sets the location where your ACME certificates are saved to.

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2.   # ...
  3.   storage = "acme.json"
  4.   # ...

File (YAML)

  1. certificatesResolvers:
  2.   myresolver:
  3.     acme:
  4.       # ...
  5.       storage: acme.json
  6.       # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.storage=acme.json
  3. # ...

ACME certificates are stored in a JSON file that needs to have a 600 file mode.

In Docker you can mount either the JSON file, or the folder containing it:

  1. docker run -v "/my/host/acme.json:/acme.json" traefik
  1. docker run -v "/my/host/acme:/etc/traefik/acme" traefik

Warning

For concurrency reasons, this file cannot be shared across multiple instances of Traefik.

preferredChain

Optional, Default=””

Preferred chain to use.

If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2.   # ...
  3.   preferredChain = "ISRG Root X1"
  4.   # ...

File (YAML)

  1. certificatesResolvers:
  2.   myresolver:
  3.     acme:
  4.       # ...
  5.       preferredChain: 'ISRG Root X1'
  6.       # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
  3. # ...

Fallback

If Let’s Encrypt is not reachable, the following certificates will apply:

  1. Previously generated ACME certificates (before downtime)
  2. Expired ACME certificates
  3. Provided certificates

Important

For new (sub)domains which need Let’s Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

  1. more information about the HTTP message format can be found here

  2. providing_credentials_to_your_application

  3. google/default.go

  4. docker stack remark: there is no way to support terminal attached to container when deploying with docker stack, so you might need to run container with docker run -it to generate certificates using manual provider.

  5. The Global API Key needs to be used, not the Origin CA Key.