Certbot standalone side by side with traefik?

I have set up certbot on Ubuntu and successfully created my certificate with --standalone. The same system may use other certs for other fqdns that end up on the same system as well later.

I have added traefik v2.9 to this system. Traefik listens to ports 80 en 443. I have configured traefik with a 'file provider' so that it uses the separately certbot-created certificate. This works.

Some of the services on this system will not be managed via traefik. So I want to keep cert management and traefik separate. Use certbot to manage the certs and have traefik use some of them.

The certs renewal config looks like this:

account = [snip]
pref_challs = http-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = standalone

Now, I think that if traefik is running on port 80 certbot will not be able to renew because traefik is already listening on that port. What is the best way to solve this conundrum? One way is of course to have traefik not listen to port 80 and purely work on 443. Another might be to have traefik catch .well-known/acme-challenge/on port 80, serve the contents, and use certbot with webroot, maybe?

You can have certbot listen on another port, say 8080, and then have traefik reverse proxy to that port. That might be a bit nicer than using a web root.


Will those services require port 80 [even if only for HTTP-01 authentication]?
And how many external/Internet IPs do you now have?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.