Problem getting the certificate from traefik

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: docker compose up -d traefik

It produced this output:

time="2023-06-21T06:52:28Z" level=error msg="Unable to obtain ACME certificate for domains \"\": unable to generate a certificate for the domains []: error: one or more domains had a problem:\n[] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused\n" ACME CA="" routerName=portainer@docker rule="Host(" providerName=letsEncrypt.acme

My web server is (include version): traefik container 2.10.3

The operating system my web server runs on is (include version): ubuntu 22.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

reading from previous threads, I noticed that letsEncrypt can block IPs, can you please check my pulbic IP? Thank you for your time

1 Like

It is far more likely you have some sort of comms config problem affecting outbound requests.

Can you run these two commands in that same container and show result?

curl -I

curl -I

Sure, here you have the output

/ # curl -I
HTTP/2 200
server: nginx
date: Wed, 21 Jun 2023 14:02:37 GMT
content-type: application/json
content-length: 752
cache-control: public, max-age=0, no-cache
replay-nonce: 2712Iios8QkMTbPS8KTAdOtrve20Zx3e2wJWJn42IqSQYpo
x-frame-options: DENY
strict-transport-security: max-age=604800

/ # curl -I
HTTP/2 404
date: Wed, 21 Jun 2023 14:02:57 GMT
content-type: text/html; charset=UTF-8
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Thanks. Proves you can reach the Let's Encrypt server so your IP is not blocked. I don't know enough about your traefik setup to help debug. You might find better help debugging the comms problem on the traefik community forum.


Thank you for your time Mike.


quick update. I tested using the same container but in other server with other public IP, and works well. Something that calls my attention is that in the error message says "connection refused"

time="2023-06-21T23:08:16Z" level=error msg="Unable to obtain ACME certificate for domains "": unable to generate a certificate for the domains []: error: one or more domains had a problem:\n[] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused\n" routerName=portainer@docker rule="Host(" providerName=letsEncrypt.acme ACME CA=""

I even tryed to change the subdomain from portainer to docker, but still nothing. The other server that I tested had the public ip and worked fine. I just copied the config from one to another.

How can I solve this problem?

Yes, the connection refused is a comms problem as I noted. You should look at other differences between the servers that work and fail to see if there's any communications config that is different. You should focus on what might be different between the environment you ran the curl command and the one in which the Acme client runs


@carlosgrillet I may have led you astray. The format of the message and your concern about IP being blocked made me think the problem was with the outbound connection from your container.

But, I just looked again and it looks like an inbound problem to your server. It is still some sort of config problem in your system. And, I don't know your overall system well enough to advise. But, if I try to send a test HTTP Challenge request to your domain(s) I get a "connection refused".

This is at least partly because you redirect the HTTP request to HTTPS and nothing is listening on port 443 to process that request. It is best to not redirect the ACME Challenge HTTP request

The Let's Debug test site is good to evaluate new sites (

Note the below happens with the docker subdomain and your apex domain. You showed both at different times.

curl -i
HTTP/1.1 301 Moved Permanently

curl -i
curl: (7) Failed to connect to port 443 after 15 ms: Connection refused

nmap -p80,443
rDNS record for
80/tcp  open   http
443/tcp closed https

Thank you again for your time. Now its really clear for me. I will re-check all the configuration again. Just for you to know in both server I have this reverse proxy configuration:

                 |              docker network                |
 |Internet| ---> |Traefik container| ---> |Portainer container|
                 :80 -> :443              :80

this is the traefik config I've used in both server. I even try to disable port redirection, but still nothing

  checkNewVersion: true

  insecure: true
  dashboard: true

    address: ":80"
          to: https
          scheme: https
    address: ":443"

      email: <email>
      storage: /etc/traefik/certs/acme.json
      tlsChallenge: {}

    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    watch: true
    directory: /etc/traefik
    watch: true

Thanks to your help I could find the error. I feel a bit like a fool but the error was this. look at mi docker-compose file

version: "3"
    image: traefik:latest
    container_name: traefik
      - 80:80
      - 441:443
      - traefik-net
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_ssl_data:/ssl-certs
      - /etc/traefik:/etc/traefik
    restart: unless-stopped
          cpus: '1.0'
          memory: 50M

Thats why you didn't see the 443 port open. Thank you again for your time Mike. Hope this post can help some one else. Now its working!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.