Skip to content

Traefik Certificate Resolver Status

Current Status

Compression Middleware: Working correctly ✅ HTTP Challenge: Configured and working ✅ MinIO Routers: Fixed

⚠️ Certificate Resolver: Showing "nonexistent" errors (but configured correctly)

Certificate Resolver Errors

Error: 

ERR Router uses a nonexistent certificate resolver certificateResolver=letsencrypt

Root Cause: This error typically occurs when: 1. The ACME account hasn't been initialized yet (first certificate request) 2. The acme.json file doesn't exist or has incorrect permissions 3. Traefik hasn't successfully connected to Let's Encrypt yet

Configuration Status

The certificate resolver IS correctly configured in infrastructure/compose/shared.yml:

- --certificatesresolvers.letsencrypt.acme.email=contact@portugalodyssey.pt
- --certificatesresolvers.letsencrypt.acme.storage=/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web

Expected Behavior

  1. First Certificate Request: When a router requests a certificate, Traefik will:
  2. Initialize the ACME account with Let's Encrypt
  3. Create/update the acme.json file
  4. Obtain the certificate

  5. The "nonexistent" errors will disappear

  6. Subsequent Requests: Once the account is initialized, certificates will be obtained automatically

Verification Steps

1. Check ACME File

# On VPS
cd /opt/po-platform

# Check if acme.json exists
ls -la infrastructure/config/traefik/acme.json

# If it doesn't exist, create it with correct permissions
touch infrastructure/config/traefik/acme.json
chmod 600 infrastructure/config/traefik/acme.json

2. Check Traefik Logs for ACME Activity

# Look for ACME initialization attempts
docker logs po-traefik 2>&1 | grep -i "acme\|letsencrypt\|certificate" | tail -20

# Should see attempts to connect to Let's Encrypt

3. Trigger Certificate Request

The certificate resolver will initialize when: - A router with tls.certresolver=letsencrypt receives its first HTTPS request - Or manually trigger by accessing any HTTPS endpoint

4. Verify Certificate Obtained

# Check if certificates are being stored
docker exec po-traefik cat /acme.json | jq '.letsencrypt.Certificates' 2>/dev/null || echo "No certificates yet or jq not available"

# Or check file size (should grow when certificates are obtained)
ls -lh infrastructure/config/traefik/acme.json

Troubleshooting

If Errors Persist

  1. Verify ACME file permissions: 

    chmod 600 infrastructure/config/traefik/acme.json

  2. Check Traefik can write to acme.json: 

    # The volume mount should allow write access
# Check: ../config/traefik/acme.json:/acme.json:rw

  3. Verify network connectivity: 

    # Traefik needs to reach Let's Encrypt servers
docker exec po-traefik ping -c 1 acme-v02.api.letsencrypt.org

  4. Check for rate limiting:

  5. Let's Encrypt has rate limits
  6. If you've made many requests, wait before retrying

Expected Timeline

  • Immediate: Configuration is correct, errors are expected until first certificate
  • After first HTTPS request: ACME account initializes, certificate obtained
  • After initialization: Errors disappear, certificates work automatically