In trying to upgrade to the latest traefik version to be able to generate TLS certs from LetsEncrypt, I've come across a problem when it comes to cert generation time.

This worked previously on traefik:1.4 using the acme.ondemand flag and the other settings (minus the httpChallenge keys of course).

Config:

traefik:
  image: traefik:1.5.0-rc5-alpine
  ports:
    - 80:80/tcp
    - 443:443/tcp
  command:
    - --web
    - --rancher
    - --rancher.metadata
    - --acme
    - --acme.email=my@email.com
    - --acme.onhostrule
    - --acme.httpchallenge
    - --acme.httpchallenge.entrypoint=http
    - --acme.entrypoint=https
    - --acme.storage=/data/acme.json
    - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
    - --entryPoints=Name:https Address::443 TLS
    - --accesslog
    - --accesslog.format=json
    - --debug

Openssl s_client result of not-yet-existant cert

CONNECTED(00000003)
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=TRAEFIK DEFAULT CERT
  i:/CN=TRAEFIK DEFAULT CERT
---
...
Verify return code: 21 (unable to verify the first certificate)

Traefik logs

time="2018-01-16T19:17:49Z" level=debug msg="Looking for provided certificate to validate [mysite.com]..." time="2018-01-16T19:17:49Z" level=debug msg="No provided certificate found for domains [mysite.com], get ACME certificate." time="2018-01-16T19:17:49Z" level=debug msg="Looking for an existing ACME challenge for mysite.com..." time="2018-01-16T19:17:49Z" level=debug msg="No certificate found or generated for mysite.com"

Attempting to narrow down to just a toml file with the same config to determine if that's the problem or not.

The onHostRule try to challenge an ACME cert when you have a HostRule on a frontend with the same Entrypoint as ACME EntryPoint.

When new frontend are loaded, they use the entrypoint you specify or the defaultEntrypoints.

Here: Your defaultEntrypoints is http Your ACME EntryPoint is https

So when your frontent is created, it is assigned to http, that's why you don't have any challenge.

Then, your logs only say that when you try to access https://example.com, Træfik try to find certificate in already challenged ACME cert.

In order to fix, you need to specify defaultEntrypoints with https (and http if you need it)

I found that in the end, the problem was actually that I didn't have a container matching the host that I was testing against, running in my cluster.

I was using openssl s_client -connect host:443 -servername mysite.com, however I didn't realize that in the cluster I was targeting, there was no container with a label of traefik.frontend.rule=Host:mysite.com.

Therefore, I was just getting a 404 from traefik's perspective, which ended up using the default traefik cert. When curl'ing - I never got the 404 since I never got past the TLS handshake.

You can try to add the snippet end of traefik.toml, it may help you

[docker]
  endpoint = "unix:///var/run/docker.sock"
  watch = true