Let’s Encrypt

Automatic HTTPS

You can configure Traefik to use an ACME provider (like Let’s Encrypt) for automatic certificate generation.

Let’s Encrypt and Rate Limiting

Note that Let’s Encrypt API has rate limiting.

Use Let’s Encrypt staging server with the caServer configuration option when experimenting to avoid hitting this limit too fast.

Certificate Resolvers

Traefik requires you to define “Certificate Resolvers” in the static configuration, which are responsible for retrieving certificates from an ACME server.

Then, each “router” is configured to enable TLS, and is associated to a certificate resolver through the tls.certresolver configuration option.

Certificates are requested for domain names retrieved from the router’s dynamic configuration.

You can read more about this retrieval mechanism in the following section: ACME Domain Definition.

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must reference it.

Configuration Reference

There are many available options for ACME. For a quick glance at what’s possible, browse the configuration reference:

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. # Enable ACME (Let's Encrypt): automatic SSL.
  4. acme:
  5. # Email address used for registration.
  6. #
  7. # Required
  8. #
  9. email: "test@example.com"
  10. # File or key used for certificates storage.
  11. #
  12. # Required
  13. #
  14. storage: "acme.json"
  15. # CA server to use.
  16. # Uncomment the line to use Let's Encrypt's staging server,
  17. # leave commented to go to prod.
  18. #
  19. # Optional
  20. # Default: "https://acme-v02.api.letsencrypt.org/directory"
  21. #
  22. # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
  23. # Preferred chain to use.
  24. #
  25. # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
  26. # If no match, the default offered chain will be used.
  27. #
  28. # Optional
  29. # Default: ""
  30. #
  31. # preferredChain: 'ISRG Root X1'
  32. # KeyType to use.
  33. #
  34. # Optional
  35. # Default: "RSA4096"
  36. #
  37. # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
  38. #
  39. # keyType: RSA4096
  40. # Use a TLS-ALPN-01 ACME challenge.
  41. #
  42. # Optional (but recommended)
  43. #
  44. tlsChallenge:
  45. # Use a HTTP-01 ACME challenge.
  46. #
  47. # Optional
  48. #
  49. # httpChallenge:
  50. # EntryPoint to use for the HTTP-01 challenges.
  51. #
  52. # Required
  53. #
  54. # entryPoint: web
  55. # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
  56. # Note: mandatory for wildcard certificate generation.
  57. #
  58. # Optional
  59. #
  60. # dnsChallenge:
  61. # DNS provider used.
  62. #
  63. # Required
  64. #
  65. # provider: digitalocean
  66. # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
  67. # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
  68. # Useful if internal networks block external DNS queries.
  69. #
  70. # Optional
  71. # Default: 0
  72. #
  73. # delayBeforeCheck: 0
  74. # Use following DNS servers to resolve the FQDN authority.
  75. #
  76. # Optional
  77. # Default: empty
  78. #
  79. # resolvers
  80. # - "1.1.1.1:53"
  81. # - "8.8.8.8:53"
  82. # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
  83. #
  84. # NOT RECOMMENDED:
  85. # Increase the risk of reaching Let's Encrypt's rate limits.
  86. #
  87. # Optional
  88. # Default: false
  89. #
  90. # disablePropagationCheck: true

File (TOML)

  1. # Enable ACME (Let's Encrypt): automatic SSL.
  2. [certificatesResolvers.myresolver.acme]
  3. # Email address used for registration.
  4. #
  5. # Required
  6. #
  7. email = "test@example.com"
  8. # File or key used for certificates storage.
  9. #
  10. # Required
  11. #
  12. storage = "acme.json"
  13. # CA server to use.
  14. # Uncomment the line to use Let's Encrypt's staging server,
  15. # leave commented to go to prod.
  16. #
  17. # Optional
  18. # Default: "https://acme-v02.api.letsencrypt.org/directory"
  19. #
  20. # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  21. # Preferred chain to use.
  22. #
  23. # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
  24. # If no match, the default offered chain will be used.
  25. #
  26. # Optional
  27. # Default: ""
  28. #
  29. # preferredChain = "ISRG Root X1"
  30. # KeyType to use.
  31. #
  32. # Optional
  33. # Default: "RSA4096"
  34. #
  35. # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
  36. #
  37. # keyType = "RSA4096"
  38. # Use a TLS-ALPN-01 ACME challenge.
  39. #
  40. # Optional (but recommended)
  41. #
  42. [certificatesResolvers.myresolver.acme.tlsChallenge]
  43. # Use a HTTP-01 ACME challenge.
  44. #
  45. # Optional
  46. #
  47. # [certificatesResolvers.myresolver.acme.httpChallenge]
  48. # EntryPoint to use for the HTTP-01 challenges.
  49. #
  50. # Required
  51. #
  52. # entryPoint = "web"
  53. # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
  54. # Note: mandatory for wildcard certificate generation.
  55. #
  56. # Optional
  57. #
  58. # [certificatesResolvers.myresolver.acme.dnsChallenge]
  59. # DNS provider used.
  60. #
  61. # Required
  62. #
  63. # provider = "digitalocean"
  64. # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
  65. # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
  66. # Useful if internal networks block external DNS queries.
  67. #
  68. # Optional
  69. # Default: 0
  70. #
  71. # delayBeforeCheck = 0
  72. # Use following DNS servers to resolve the FQDN authority.
  73. #
  74. # Optional
  75. # Default: empty
  76. #
  77. # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
  78. # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
  79. #
  80. # NOT RECOMMENDED:
  81. # Increase the risk of reaching Let's Encrypt's rate limits.
  82. #
  83. # Optional
  84. # Default: false
  85. #
  86. # disablePropagationCheck = true

CLI

  1. # Enable ACME (Let's Encrypt): automatic SSL.
  2. # Email address used for registration.
  3. #
  4. # Required
  5. #
  6. --certificatesresolvers.myresolver.acme.email=test@example.com
  7. # File or key used for certificates storage.
  8. #
  9. # Required
  10. #
  11. --certificatesresolvers.myresolver.acme.storage=acme.json
  12. # CA server to use.
  13. # Uncomment the line to use Let's Encrypt's staging server,
  14. # leave commented to go to prod.
  15. #
  16. # Optional
  17. # Default: "https://acme-v02.api.letsencrypt.org/directory"
  18. #
  19. --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
  20. # Preferred chain to use.
  21. #
  22. # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
  23. # If no match, the default offered chain will be used.
  24. #
  25. # Optional
  26. # Default: ""
  27. #
  28. --certificatesresolvers.myresolver.acme.preferredchain="ISRG Root X1"
  29. # KeyType to use.
  30. #
  31. # Optional
  32. # Default: "RSA4096"
  33. #
  34. # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
  35. #
  36. --certificatesresolvers.myresolver.acme.keytype=RSA4096
  37. # Use a TLS-ALPN-01 ACME challenge.
  38. #
  39. # Optional (but recommended)
  40. #
  41. --certificatesresolvers.myresolver.acme.tlschallenge=true
  42. # Use a HTTP-01 ACME challenge.
  43. #
  44. # Optional
  45. #
  46. --certificatesresolvers.myresolver.acme.httpchallenge=true
  47. # EntryPoint to use for the HTTP-01 challenges.
  48. #
  49. # Required
  50. #
  51. --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
  52. # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
  53. # Note: mandatory for wildcard certificate generation.
  54. #
  55. # Optional
  56. #
  57. --certificatesresolvers.myresolver.acme.dnschallenge=true
  58. # DNS provider used.
  59. #
  60. # Required
  61. #
  62. --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
  63. # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
  64. # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
  65. # Useful if internal networks block external DNS queries.
  66. #
  67. # Optional
  68. # Default: 0
  69. #
  70. --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
  71. # Use following DNS servers to resolve the FQDN authority.
  72. #
  73. # Optional
  74. # Default: empty
  75. #
  76. --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
  77. # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
  78. #
  79. # NOT RECOMMENDED:
  80. # Increase the risk of reaching Let's Encrypt's rate limits.
  81. #
  82. # Optional
  83. # Default: false
  84. #
  85. --certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

Domain Definition

Certificate resolvers request certificates for a set of the domain names inferred from routers, with the following logic:

  • If the router has a tls.domains option set, then the certificate resolver uses the main (and optionally sans) option of tls.domains to know the domain names for this router.

  • If no tls.domains option is set, then the certificate resolver uses the router’s rule, by checking the Host() matchers. Please note that multiple Host() matchers can be used) for specifying multiple domain names for this router.

Please note that:

Please check the configuration examples below for more details.

Configuration Examples

Enabling ACME

File (YAML)

  1. entryPoints:
  2. web:
  3. address: ":80"
  4. websecure:
  5. address: ":443"
  6. certificatesResolvers:
  7. myresolver:
  8. acme:
  9. email: your-email@example.com
  10. storage: acme.json
  11. httpChallenge:
  12. # used during the challenge
  13. entryPoint: web

File (TOML)

  1. [entryPoints]
  2. [entryPoints.web]
  3. address = ":80"
  4. [entryPoints.websecure]
  5. address = ":443"
  6. [certificatesResolvers.myresolver.acme]
  7. email = "your-email@example.com"
  8. storage = "acme.json"
  9. [certificatesResolvers.myresolver.acme.httpChallenge]
  10. # used during the challenge
  11. entryPoint = "web"

CLI

  1. --entrypoints.web.address=:80
  2. --entrypoints.websecure.address=:443
  3. # ...
  4. --certificatesresolvers.myresolver.acme.email=your-email@example.com
  5. --certificatesresolvers.myresolver.acme.storage=acme.json
  6. # used during the challenge
  7. --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must reference it.

Single Domain from Router’s Rule Example

  • A certificate for the domain example.com is requested:

Docker

  1. ## Dynamic configuration
  2. labels:
  3. - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  4. - traefik.http.routers.blog.tls=true
  5. - traefik.http.routers.blog.tls.certresolver=myresolver

Docker (Swarm)

  1. ## Dynamic configuration
  2. deploy:
  3. labels:
  4. - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  5. - traefik.http.routers.blog.tls=true
  6. - traefik.http.routers.blog.tls.certresolver=myresolver
  7. - traefik.http.services.blog-svc.loadbalancer.server.port=8080"

Kubernetes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4. name: blogtls
  5. spec:
  6. entryPoints:
  7. - websecure
  8. routes:
  9. - match: Host(`example.com`) && Path(`/blog`)
  10. kind: Rule
  11. services:
  12. - name: blog
  13. port: 8080
  14. tls:
  15. certResolver: myresolver

Marathon

  1. labels: {
  2. "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
  3. "traefik.http.routers.blog.tls": "true",
  4. "traefik.http.routers.blog.tls.certresolver": "myresolver",
  5. "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
  6. }

Rancher

  1. ## Dynamic configuration
  2. labels:
  3. - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  4. - traefik.http.routers.blog.tls=true
  5. - traefik.http.routers.blog.tls.certresolver=myresolver

File (YAML)

  1. ## Dynamic configuration
  2. http:
  3. routers:
  4. blog:
  5. rule: "Host(`example.com`) && Path(`/blog`)"
  6. tls:
  7. certResolver: myresolver

File (TOML)

  1. ## Dynamic configuration
  2. [http.routers]
  3. [http.routers.blog]
  4. rule = "Host(`example.com`) && Path(`/blog`)"
  5. [http.routers.blog.tls]
  6. certResolver = "myresolver"

Multiple Domains from Router’s Rule Example

  • A certificate for the domains example.com (main) and blog.example.org is requested:

Docker

  1. ## Dynamic configuration
  2. labels:
  3. - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  4. - traefik.http.routers.blog.tls=true
  5. - traefik.http.routers.blog.tls.certresolver=myresolver

Docker (Swarm)

  1. ## Dynamic configuration
  2. deploy:
  3. labels:
  4. - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  5. - traefik.http.routers.blog.tls=true
  6. - traefik.http.routers.blog.tls.certresolver=myresolver
  7. - traefik.http.services.blog-svc.loadbalancer.server.port=8080"

Kubernetes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4. name: blogtls
  5. spec:
  6. entryPoints:
  7. - websecure
  8. routes:
  9. - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  10. kind: Rule
  11. services:
  12. - name: blog
  13. port: 8080
  14. tls:
  15. certResolver: myresolver

Marathon

  1. labels: {
  2. "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
  3. "traefik.http.routers.blog.tls": "true",
  4. "traefik.http.routers.blog.tls.certresolver": "myresolver",
  5. "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
  6. }

Rancher

  1. ## Dynamic configuration
  2. labels:
  3. - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  4. - traefik.http.routers.blog.tls=true
  5. - traefik.http.routers.blog.tls.certresolver=myresolver

File (YAML)

  1. ## Dynamic configuration
  2. http:
  3. routers:
  4. blog:
  5. rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
  6. tls:
  7. certResolver: myresolver

File (TOML)

  1. ## Dynamic configuration
  2. [http.routers]
  3. [http.routers.blog]
  4. rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
  5. [http.routers.blog.tls]
  6. certResolver = "myresolver"

Multiple Domains from Router’s tls.domain Example

  • A certificate for the domains example.com (main) and *.example.org (SAN) is requested:

Docker

  1. ## Dynamic configuration
  2. labels:
  3. - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  4. - traefik.http.routers.blog.tls=true
  5. - traefik.http.routers.blog.tls.certresolver=myresolver
  6. - traefik.http.routers.blog.tls.domains[0].main=example.org
  7. - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

Docker (Swarm)

  1. ## Dynamic configuration
  2. deploy:
  3. labels:
  4. - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  5. - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
  6. - traefik.http.routers.blog.tls=true
  7. - traefik.http.routers.blog.tls.certresolver=myresolver
  8. - traefik.http.routers.blog.tls.domains[0].main=example.org
  9. - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

Kubernetes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4. name: blogtls
  5. spec:
  6. entryPoints:
  7. - websecure
  8. routes:
  9. - match: Host(`example.com`) && Path(`/blog`)
  10. kind: Rule
  11. services:
  12. - name: blog
  13. port: 8080
  14. tls:
  15. certResolver: myresolver
  16. domains:
  17. - main: example.org
  18. sans:
  19. - '*.example.org'

Marathon

  1. labels: {
  2. "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
  3. "traefik.http.routers.blog.tls": "true",
  4. "traefik.http.routers.blog.tls.certresolver": "myresolver",
  5. "traefik.http.routers.blog.tls.domains[0].main": "example.com",
  6. "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
  7. "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
  8. }

Rancher

  1. ## Dynamic configuration
  2. labels:
  3. - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  4. - traefik.http.routers.blog.tls=true
  5. - traefik.http.routers.blog.tls.certresolver=myresolver
  6. - traefik.http.routers.blog.tls.domains[0].main=example.org
  7. - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

File (YAML)

  1. ## Dynamic configuration
  2. http:
  3. routers:
  4. blog:
  5. rule: "Host(`example.com`) && Path(`/blog`)"
  6. tls:
  7. certResolver: myresolver
  8. domains:
  9. - main: "example.org"
  10. sans:
  11. - "*.example.org"

File (TOML)

  1. ## Dynamic configuration
  2. [http.routers]
  3. [http.routers.blog]
  4. rule = "Host(`example.com`) && Path(`/blog`)"
  5. [http.routers.blog.tls]
  6. certResolver = "myresolver" # From static configuration
  7. [[http.routers.blog.tls.domains]]
  8. main = "example.org"
  9. sans = ["*.example.org"]

Automatic Renewals

Traefik automatically tracks the expiry date of ACME certificates it generates.

If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.

Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.

Using LetsEncrypt with Kubernetes

When using LetsEncrypt with kubernetes, there are some known caveats with both the ingress and crd providers.

If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.

The Different ACME Challenges

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must reference it.

tlsChallenge

Use the TLS-ALPN-01 challenge to generate and renew ACME certificates by provisioning a TLS certificate.

As described on the Let’s Encrypt community forum, when using the TLS-ALPN-01 challenge, Traefik must be reachable by Let’s Encrypt through port 443.

Configuring the tlsChallenge

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. acme:
  4. # ...
  5. tlsChallenge: {}

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2. # ...
  3. [certificatesResolvers.myresolver.acme.tlsChallenge]

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.tlschallenge=true

httpChallenge

Use the HTTP-01 challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.

As described on the Let’s Encrypt community forum, when using the HTTP-01 challenge, certificatesresolvers.myresolver.acme.httpchallenge.entrypoint must be reachable by Let’s Encrypt through port 80.

Using an EntryPoint Called web for the httpChallenge

File (YAML)

  1. entryPoints:
  2. web:
  3. address: ":80"
  4. websecure:
  5. address: ":443"
  6. certificatesResolvers:
  7. myresolver:
  8. acme:
  9. # ...
  10. httpChallenge:
  11. entryPoint: web

File (TOML)

  1. [entryPoints]
  2. [entryPoints.web]
  3. address = ":80"
  4. [entryPoints.websecure]
  5. address = ":443"
  6. [certificatesResolvers.myresolver.acme]
  7. # ...
  8. [certificatesResolvers.myresolver.acme.httpChallenge]
  9. entryPoint = "web"

CLI

  1. --entrypoints.web.address=:80
  2. --entrypoints.websecure.address=:443
  3. # ...
  4. --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

Redirection is fully compatible with the HTTP-01 challenge.

dnsChallenge

Use the DNS-01 challenge to generate and renew ACME certificates by provisioning a DNS record.

Configuring a dnsChallenge with the DigitalOcean Provider

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. acme:
  4. # ...
  5. dnsChallenge:
  6. provider: digitalocean
  7. delayBeforeCheck: 0
  8. # ...

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2. # ...
  3. [certificatesResolvers.myresolver.acme.dnsChallenge]
  4. provider = "digitalocean"
  5. delayBeforeCheck = 0
  6. # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
  3. --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
  4. # ...

Important

A provider is mandatory.

providers

Here is a list of supported providers, that can automate the DNS verification, along with the required environment variables and their wildcard & root domain support. Do not hesitate to complete it.

Many lego environment variables can be overridden by their respective _FILE counterpart, which should have a filepath to a file that contains the secret as its value. For example, CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email could be used to provide a Cloudflare API email address as a Docker secret named traefik_cf-api-email.

For complete details, refer to your provider’s Additional configuration link.

Provider NameProvider CodeEnvironment Variables
ACME DNSacme-dnsACME_DNS_API_BASE, ACME_DNS_STORAGE_PATHAdditional configuration
Alibaba CloudalidnsALICLOUD_ACCESS_KEY, ALICLOUD_SECRET_KEY, ALICLOUD_REGION_IDAdditional configuration
ArvanCloudarvancloudARVANCLOUD_API_KEYAdditional configuration
AuroradnsauroradnsAURORA_USER_ID, AURORA_KEY, AURORA_ENDPOINTAdditional configuration
AutodnsautodnsAUTODNS_API_USER, AUTODNS_API_PASSWORDAdditional configuration
AzureazureAZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESOURCE_GROUP, [AZURE_METADATA_ENDPOINT]Additional configuration
BindmanbindmanBINDMAN_MANAGER_ADDRESSAdditional configuration
Blue CatbluecatBLUECAT_SERVER_URL, BLUECAT_USER_NAME, BLUECAT_PASSWORD, BLUECAT_CONFIG_NAME, BLUECAT_DNS_VIEWAdditional configuration
CheckdomaincheckdomainCHECKDOMAIN_TOKEN,Additional configuration
CloudDNSclouddnsCLOUDDNS_CLIENT_ID, CLOUDDNS_EMAIL, CLOUDDNS_PASSWORDAdditional configuration
ClouDNScloudnsCLOUDNS_AUTH_ID, CLOUDNS_AUTH_PASSWORDAdditional configuration
CloudflarecloudflareCF_API_EMAIL, CF_API_KEY 5 or CF_DNS_API_TOKEN, [CF_ZONE_API_TOKEN]Additional configuration
CloudXNScloudxnsCLOUDXNS_API_KEY, CLOUDXNS_SECRET_KEYAdditional configuration
ConoHaconohaCONOHA_TENANT_ID, CONOHA_API_USERNAME, CONOHA_API_PASSWORDAdditional configuration
ConstellixconstellixCONSTELLIX_API_KEY, CONSTELLIX_SECRET_KEYAdditional configuration
deSECdesecDESEC_TOKENAdditional configuration
DigitalOceandigitaloceanDO_AUTH_TOKENAdditional configuration
DNSimplednsimpleDNSIMPLE_OAUTH_TOKEN, DNSIMPLE_BASE_URLAdditional configuration
DNS Made EasydnsmadeeasyDNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET, DNSMADEEASY_SANDBOXAdditional configuration
DNSPoddnspodDNSPOD_API_KEYAdditional configuration
Domain Offensive (do.de)dodeDODE_TOKENAdditional configuration
DomeneshopdomeneshopDOMENESHOP_API_TOKEN, DOMENESHOP_API_SECRETAdditional configuration
DreamHostdreamhostDREAMHOST_API_KEYAdditional configuration
Duck DNSduckdnsDUCKDNS_TOKENAdditional configuration
DyndynDYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORDAdditional configuration
DynudynuDYNU_API_KEYAdditional configuration
EasyDNSeasydnsEASYDNS_TOKEN, EASYDNS_KEYAdditional configuration
EdgeDNSedgednsAKAMAI_CLIENT_TOKEN, AKAMAI_CLIENT_SECRET, AKAMAI_ACCESS_TOKENAdditional configuration
External ProgramexecEXEC_PATHAdditional configuration
ExoscaleexoscaleEXOSCALE_API_KEY, EXOSCALE_API_SECRET, EXOSCALE_ENDPOINTAdditional configuration
Fast DNSfastdnsAKAMAI_CLIENT_TOKEN, AKAMAI_CLIENT_SECRET, AKAMAI_ACCESS_TOKENAdditional configuration
GandigandiGANDI_API_KEYAdditional configuration
Gandi v5gandiv5GANDIV5_API_KEYAdditional configuration
GlesysglesysGLESYS_API_USER, GLESYS_API_KEY, GLESYS_DOMAINAdditional configuration
GoDaddygodaddyGODADDY_API_KEY, GODADDY_API_SECRETAdditional configuration
Google Cloud DNSgcloudGCE_PROJECT, Application Default Credentials 2 3, [GCE_SERVICE_ACCOUNT_FILE]Additional configuration
HetznerhetznerHETZNER_API_KEYAdditional configuration
hosting.dehostingdeHOSTINGDE_API_KEY, HOSTINGDE_ZONE_NAMEAdditional configuration
HTTP requesthttpreqHTTPREQ_ENDPOINT, HTTPREQ_MODE, HTTPREQ_USERNAME, HTTPREQ_PASSWORD 1Additional configuration
HyperOnehyperoneHYPERONE_PASSPORT_LOCATION, HYPERONE_LOCATION_IDAdditional configuration
IIJiijIIJ_API_ACCESS_KEY, IIJ_API_SECRET_KEY, IIJ_DO_SERVICE_CODEAdditional configuration
InfobloxinfobloxINFOBLOX_USER, INFOBLOX_PASSWORD, INFOBLOX_HOSTAdditional configuration
InfomaniakinfomaniakINFOMANIAK_ACCESS_TOKENAdditional configuration
INWXinwxINWX_USERNAME, INWX_PASSWORDAdditional configuration
ionosionosIONOS_API_KEYAdditional configuration
Joker.comjokerJOKER_API_MODE with JOKER_API_KEY or JOKER_USERNAME, JOKER_PASSWORDAdditional configuration
LightsaillightsailAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DNS_ZONEAdditional configuration
Linode v4linodeLINODE_TOKENAdditional configuration
Liquid WebliquidwebLIQUID_WEB_PASSWORD, LIQUID_WEB_USERNAME, LIQUID_WEB_ZONEAdditional configuration
LoopialoopiaLOOPIA_API_PASSWORD, LOOPIA_API_USERAdditional configuration
LuaDNSluadnsLUADNS_API_USERNAME, LUADNS_API_TOKENAdditional configuration
manualmanualnone, but you need to run Traefik interactively 4, turn on debug log to see instructions and press Enter.
MyDNS.jpmydnsjpMYDNSJP_MASTER_ID, MYDNSJP_PASSWORDAdditional configuration
Mythic BeastsmythicbeastsMYTHICBEASTS_USER_NAME, MYTHICBEASTS_PASSWORDAdditional configuration
NamecheapnamecheapNAMECHEAP_API_USER, NAMECHEAP_API_KEYAdditional configuration
name.comnamedotcomNAMECOM_USERNAME, NAMECOM_API_TOKEN, NAMECOM_SERVERAdditional configuration
NamesilonamesiloNAMESILO_API_KEYAdditional configuration
NetcupnetcupNETCUP_CUSTOMER_NUMBER, NETCUP_API_KEY, NETCUP_API_PASSWORDAdditional configuration
NetlifynetlifyNETLIFY_TOKENAdditional configuration
NIFCloudnifcloudNIFCLOUD_ACCESS_KEY_ID, NIFCLOUD_SECRET_ACCESS_KEYAdditional configuration
NjallanjallaNJALLA_TOKENAdditional configuration
NS1ns1NS1_API_KEYAdditional configuration
Open Telekom CloudotcOTC_DOMAIN_NAME, OTC_USER_NAME, OTC_PASSWORD, OTC_PROJECT_NAME, OTC_IDENTITY_ENDPOINTAdditional configuration
OVHovhOVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEYAdditional configuration
Openstack DesignatedesignateOS_AUTH_URL, OS_USERNAME, OS_PASSWORD, OS_TENANT_NAME, OS_REGION_NAMEAdditional configuration
Oracle CloudoraclecloudOCI_COMPARTMENT_OCID, OCI_PRIVKEY_FILE, OCI_PRIVKEY_PASS, OCI_PUBKEY_FINGERPRINT, OCI_REGION, OCI_TENANCY_OCID, OCI_USER_OCIDAdditional configuration
PorkbunporkbunPORKBUN_SECRET_API_KEY, PORKBUN_API_KEYAdditional configuration
PowerDNSpdnsPDNS_API_KEY, PDNS_API_URLAdditional configuration
RackspacerackspaceRACKSPACE_USER, RACKSPACE_API_KEYAdditional configuration
reg.ruregruREGRU_USERNAME, REGRU_PASSWORDAdditional configuration
RFC2136rfc2136RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVERAdditional configuration
Route 53route53AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_REGION], [AWS_HOSTED_ZONE_ID] or a configured user/instance IAM profile.Additional configuration
RimuHostingrimuhostingRIMUHOSTING_API_KEYAdditional configuration
Sakura CloudsakuracloudSAKURACLOUD_ACCESS_TOKEN, SAKURACLOUD_ACCESS_TOKEN_SECRETAdditional configuration
ScalewayscalewaySCALEWAY_API_TOKENAdditional configuration
SelectelselectelSELECTEL_API_TOKENAdditional configuration
ServercowservercowSERVERCOW_USERNAME, SERVERCOW_PASSWORDAdditional configuration
Simply.comsimplySIMPLY_ACCOUNT_NAME, SIMPLY_API_KEYAdditional configuration
SonicsonicSONIC_USER_ID, SONIC_API_KEYAdditional configuration
StackpathstackpathSTACKPATH_CLIENT_ID, STACKPATH_CLIENT_SECRET, STACKPATH_STACK_IDAdditional configuration
TransIPtransipTRANSIP_ACCOUNT_NAME, TRANSIP_PRIVATE_KEY_PATHAdditional configuration
VegaDNSvegadnsSECRET_VEGADNS_KEY, SECRET_VEGADNS_SECRET, VEGADNS_URLAdditional configuration
VersioversioVERSIO_USERNAME, VERSIO_PASSWORDAdditional configuration
VinylDNSvinyldnsVINYLDNS_ACCESS_KEY, VINYLDNS_SECRET_KEY, VINYLDNS_HOSTAdditional configuration
VscalevscaleVSCALE_API_TOKENAdditional configuration
VULTRvultrVULTR_API_KEYAdditional configuration
WEDOSwedosWEDOS_USERNAME, WEDOS_WAPI_PASSWORDAdditional configuration
YandexyandexYANDEX_PDD_TOKENAdditional configuration
Zone.eezoneeeZONEEE_API_USER, ZONEEE_API_KEYAdditional configuration
ZonomizonomiZONOMI_API_KEYAdditional configuration

delayBeforeCheck

By default, the provider verifies the TXT record before letting ACME verify. You can delay this operation by specifying a delay (in seconds) with delayBeforeCheck (value must be greater than zero). This option is useful when internal networks block external DNS queries.

resolvers

Use custom DNS servers to resolve the FQDN authority.

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. acme:
  4. # ...
  5. dnsChallenge:
  6. # ...
  7. resolvers:
  8. - "1.1.1.1:53"
  9. - "8.8.8.8:53"

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2. # ...
  3. [certificatesResolvers.myresolver.acme.dnsChallenge]
  4. # ...
  5. resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53

Wildcard Domains

ACME V2 supports wildcard certificates. As described in Let’s Encrypt’s post wildcard certificates can only be generated through a DNS-01 challenge.

External Account Binding

  • kid: Key identifier from External CA
  • hmacEncoded: HMAC key from External CA, should be in Base64 URL Encoding without padding format

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. acme:
  4. # ...
  5. eab:
  6. kid: abc-keyID-xyz
  7. hmacEncoded: abc-hmac-xyz

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2. # ...
  3. [certificatesResolvers.myresolver.acme.eab]
  4. kid = "abc-keyID-xyz"
  5. hmacEncoded = "abc-hmac-xyz"

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
  3. --certificatesresolvers.myresolver.acme.eab.hmacencoded=abc-hmac-xyz

More Configuration

caServer

Required, Default=”https://acme-v02.api.letsencrypt.org/directory

The CA server to use:

Using the Let’s Encrypt staging server

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. acme:
  4. # ...
  5. caServer: https://acme-staging-v02.api.letsencrypt.org/directory
  6. # ...

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2. # ...
  3. caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  4. # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
  3. # ...

storage

Required, Default=”acme.json”

The storage option sets the location where your ACME certificates are saved to.

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. acme:
  4. # ...
  5. storage: acme.json
  6. # ...

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2. # ...
  3. storage = "acme.json"
  4. # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.storage=acme.json
  3. # ...

ACME certificates are stored in a JSON file that needs to have a 600 file mode.

In Docker you can mount either the JSON file, or the folder containing it:

  1. docker run -v "/my/host/acme.json:/acme.json" traefik
  1. docker run -v "/my/host/acme:/etc/traefik/acme" traefik

Warning

For concurrency reasons, this file cannot be shared across multiple instances of Traefik.

preferredChain

Optional, Default=””

Preferred chain to use.

If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. acme:
  4. # ...
  5. preferredChain: 'ISRG Root X1'
  6. # ...

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2. # ...
  3. preferredChain = "ISRG Root X1"
  4. # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
  3. # ...

keyType

Optional, Default=”RSA4096”

KeyType used for generating certificate private key. Allow value ‘EC256’, ‘EC384’, ‘RSA2048’, ‘RSA4096’, ‘RSA8192’.

File (YAML)

  1. certificatesResolvers:
  2. myresolver:
  3. acme:
  4. # ...
  5. keyType: 'RSA4096'
  6. # ...

File (TOML)

  1. [certificatesResolvers.myresolver.acme]
  2. # ...
  3. keyType = "RSA4096"
  4. # ...

CLI

  1. # ...
  2. --certificatesresolvers.myresolver.acme.keyType="RSA4096"
  3. # ...

Fallback

If Let’s Encrypt is not reachable, the following certificates will apply:

  1. Previously generated ACME certificates (before downtime)
  2. Expired ACME certificates
  3. Provided certificates

Important

For new (sub)domains which need Let’s Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.


  1. more information about the HTTP message format can be found here

  2. providing_credentials_to_your_application

  3. google/default.go

  4. docker stack remark: there is no way to support terminal attached to container when deploying with docker stack, so you might need to run container with docker run -it to generate certificates using manual provider.

  5. The Global API Key needs to be used, not the Origin CA Key.