Traefik 1.7 as loadbalancer / ingress dns-01 / acme challenge not working


I have Traefik 1.7.14 as loadbalancer, ingress deployed with helm in front of kubernetes cluster doing dns-01 challenge for wildcards through dnsimple to get certificates for exposed subdomain services and terminate ssl at the edge. It's been working for a long time, but ever since Root X3 expiry everything is acting very strange now and the certificates I am getting seems not valid.

If I look on dnsimple the _acme challenge TXT is constantly being added created and deleted in DNS, In the past those records would sit there for a while.

So when I then log into dnsimple and manually request wildcard cert I receive the full bundles but they ddont seem the same as the certs and private keys that are stored in the acme.json file generated by the dns-01 challenge.

Subdomains however do have a valid certificate but when the https is forwarded to other subdomains from Identity server for example the other subdomains complain about the certificate either being expired, or invalid, it's almost as if it multiple versions are present and are out of sync and the server certificate is also now expired.

My domain is:

I ran this commands, re-install Traefik, openssl, qualys ssltest, dpkg-reconfigure ca-certificates, update-ca-certificates

My web server is (include version): No Webserver, only Traefik serving apps from Kubernetes

The operating system my web server runs on is Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine: YES

I'm using a control panel to manage my site, There is Plesk but only using it to configure edge firewall:

The version of my client is - I'm not using certbot as Traefik is handling that but it is installed, version is 1.20.0

Hi @dniem1 welcome to the LE community forum :slight_smile:

Latest version is much higher:

I don't use Traefik, so I can't be certain that will fix the problem.

1 Like

@dniem1 I don't know Traefik either. And, I don't see anything inherently wrong with your certs. You are serving the 'long chain' - same as this website. Your leaf was issued today (Oct 7). That said, some clients do not like the long chain (like older openssl).

You might try checking out the Traefik forum too. I saw this thread which talks of these issues and I am sure there are others.

That thread talks of the 'long chain' as the legacy chain and the 'short chain' as the modern chain. I don't agree with that categorization but just pointing it out.

Another thread in this forum said to ensure to use the 'short chain' but they do not explain why.

Any client validating the short chain needs ISRG Root X1 in their CA root store. That came out in 2015 but we have seen client stores this past week that do not have it.

It is difficult to be very specific. Your config is complex and few people here would be using it like you do. If you have an example failure to reproduce it would be easier - like a failing curl or web request.

Sorry I cannot be more helpful.

Update: there is also this:

1 Like

@MikeMcQ Thank you so much for the effort to read and suggest these links to me, I appreciate the effort. I would be happy to show you some of the openssl outputs that I get if you are willing to have a look, I didnt post them here for security reasons.

Best Regards

1 Like

@dniem1 Thanks. But, I don't think I can help that much given I do not know Traefik. I did a quick look and see that much of the config is done through that and related components. I really think you are better off at the forums devoted to that "ecosystem".

1 Like

Thanks will do


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.