Traefik renewal for shortlived cert did not work

Goonie · December 16, 2025, 11:14pm

It seems it just went live! I was able to request a shortlived cert just minutes ago, and my account was not whitelisted.

Goonie · December 23, 2025, 5:04pm

Without changing any configuration, the renew of my first shortlived certificates weirdly yielded a 90 day cert again. Why that?

I should note that I am using Traefik which afaik does not support ARI yet. So each renew is in fact a new cert/order I assume.

MikeMcQ · December 23, 2025, 5:15pm

ARI is just involved in the "when" to renew. Not the "what" gets renewed

All cert "renews" are in fact new cert orders anyway. There may be differences in rate limits and such but it is a new order.

My guess is that Traefik lost track that you wanted to use the shortlived profile since your initial request. I don't know Traefik very well but their community might be better if no one else here offers help.

MikeMcQ · December 23, 2025, 5:34pm

I moved your posts in that other thread to this new one. We like all problems to have their own.

The problems with your Traefik renewal were not related to the original post in that other thread

Goonie · December 23, 2025, 6:22pm

I suspect it can't be a problem of Traefik, as the "profile: shortlived" is hardcoded into my config. Traefik doesn't "keep track" of that, as the certbot client would do.

I'm fairly positive this is a problem of LetsEncrypt.

MikeMcQ · December 23, 2025, 6:29pm

Well, you haven't given us much info to work with.

Google says you should be able to set debug mode for your Traefik log to get more detailed ACME API info. Would you provide the entire sequence that it shows for this request?

Also, had you started your own thread you would have been shown the form below. Please answer as much as you can. At this stage it is hard to know what is important or not so the more info we have the better.

==================================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Goonie · December 24, 2025, 9:12am

One of the domains in question is: mta-sts.schildbach.de

Here is the last renewal with the tlsserver profile:

	     DNS Name = mta-sts.schildbach.de
	       Pubkey = a2a1f95734ba0f789ed2cabb3efbf3ac24065fef8ae0c3993ef6f320bb66b548
	       Issuer = C=US, O=Let's Encrypt, CN=E7
	   Not Before = 2025-11-03 13:35:24 +0000 UTC
	    Not After = 2026-02-01 13:35:23 +0000 UTC
	    Log Entry = 685977306 @ https://ct.googleapis.com/logs/us1/argon2026h1/
	       crt.sh = https://crt.sh/?sha256=eaf873917f9a1931a980a1566f0270dbfdce67b8423ee3a258ea21461f439f22

When the shortlived profile became available, I switched my configuration and triggered a new certificate:

	     DNS Name = mta-sts.schildbach.de
	       Pubkey = 36c25bec5ec210065f79331c9c3ab468ae4d189fc8ddce70b071df80ff2443cf
	       Issuer = C=US, O=Let's Encrypt, CN=E7
	   Not Before = 2025-12-17 13:32:24 +0000 UTC
	    Not After = 2025-12-24 05:32:23 +0000 UTC
	    Log Entry = 737151240 @ https://mon.sycamore.ct.letsencrypt.org/2026h1/
	       crt.sh = https://crt.sh/?sha256=ace4e331c4478e01b8f677057f0f9ae42838452a9fafe52e03366ec8a31f4eca

160 hours, perfect!

Then a regular renewal was due, shortly before I posted about my problem 16h ago:

	     DNS Name = mta-sts.schildbach.de
	       Pubkey = 36c25bec5ec210065f79331c9c3ab468ae4d189fc8ddce70b071df80ff2443cf
	       Issuer = C=US, O=Let's Encrypt, CN=E8
	   Not Before = 2025-12-23 16:11:41 +0000 UTC
	    Not After = 2026-03-23 16:11:40 +0000 UTC
	    Log Entry = 83327374 @ https://tuscolo2026h1.skylight.geomys.org/
	       crt.sh = https://crt.sh/?sha256=d3435210c446e3c63ff106c416a74b7a0a6bfa81b40dc6a518c7d1179e62b1ac

Back to 3 months – why? It should still be on the shortlived profile.

I'm using Traefik 3.6.5 in Docker version 26.1.5 on Debian 13. Sadly, Traefik doesn't really produce useful log output – hopefully you have some on your side? I do have full access to my server(s) and I do not use control panels (graphical, I assume).

MikeMcQ · December 24, 2025, 10:00am

That did not use tlsserver. You can see at crt.sh link or the cert itself that it has a Common Name. tlsserver certs will not have one. See Profiles - Let's Encrypt

This more strongly points to a traefik and/or its acme client problem

Something is different between your one-time request and renewal

Goonie · December 24, 2025, 10:03am

I investigated more into this and found out Traefik is indeed using a different code path for new orders and renewals (so there is a difference).

And it seems the profile is indeed ignored for renewals. I filed a report there, let's see what they say:

github.com/traefik/traefik

ACME: When renewing certificates, `profile` is ignored

opened 10:00AM - 24 Dec 25 UTC

schildbach

status/0-needs-triage

### Welcome! - [x] Yes, I've searched similar issues on [GitHub](https://github….com/traefik/traefik/issues) and didn't find any. - [x] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any. ### What did you do? I'm using LetsEncrypt `profile: shortlived` since it is generally available. To test it, I triggered a cert by deleting my old cert from acme.json and reloading Traefik. I got a shiny 160h cert (~6.7 days) and adjusted the `certificatesDuration` as well (for auto renewal). When it came to automatic renewal, I unexpectedly got a default profile (90 days) cert again. I'd expect to continue getting shortlived until I switch profile again. I'm not an expert, but when I look at the `provider.go → renewCertificates(ctx context.Context, renewPeriod time.Duration)` function I see these options: ``` opts := &certificate.RenewOptions{ Bundle: true, PreferredChain: p.PreferredChain, } ``` There is no profile! I'd expect something like: ``` Profile: p.Profile, ``` I may be wrong, but to me it seems like this was forgotten. Note that the first cert order has a different codepath, so the bug only occurs on renewals. ### What did you see instead? see above ### What version of Traefik are you using? 3.6.5 ### What is your environment & configuration? ```yaml certificatesResolvers: letsencrypt: acme: # caServer: https://acme-staging-v02.api.letsencrypt.org/directory email: redacted storage: /acme.json tlsChallenge: true profile: shortlived certificatesDuration: 160 keyType: 'EC256' ``` Add more configuration information here. ### If applicable, please paste the log output in DEBUG level _No response_

Topic		Replies	Views
Automatic certificate renewal failing with traefik Help	6	7554	December 31, 2020
Unable to Renew Certificate (Traefik - Docker_ProviderTLS) Help	8	1201	May 14, 2021
Early Renewal Traefik Help	22	9009	March 2, 2022
Docker Compose Traefik 2 not renewing certs Help	3	165	November 4, 2024
Error Renew SSL error ON traefik-Consul Help	4	652	January 22, 2023

Traefik renewal for shortlived cert did not work

Related topics