ACME (Let's Encrypt) configuration

See also Let's Encrypt examples and Docker & Let's Encrypt user guide.

Configuration

# Sample entrypoint configuration when using ACME.
[entryPoints]
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

# Enable ACME (Let's Encrypt): automatic SSL.
[acme]

# Email address used for registration.
#
# Required
#
email = "[email protected]"

# File or key used for certificates storage.
#
# Required
#
storage = "acme.json"
# or `storage = "traefik/acme/account"` if using KV store.

# Entrypoint to proxy acme challenge/apply certificates to.
# WARNING, must point to an entrypoint on port 443
#
# Required
#
entryPoint = "https"

# Use a DNS based acme challenge rather than external HTTPS access
#
#
# Optional
#
# dnsProvider = "digitalocean"

# By default, the dnsProvider will verify the TXT DNS challenge record before letting ACME verify.
# If delayDontCheckDNS is greater than zero, avoid this & instead just wait so many seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
#
# delayDontCheckDNS = 0

# If true, display debug log messages from the acme client library.
#
# Optional
#
# acmeLogging = true

# Enable on demand certificate.
#
# Optional
#
# onDemand = true

# Enable certificate generation on frontends Host rules.
#
# Optional
#
# onHostRule = true

# CA server to use.
# - Uncomment the line to run on the staging let's encrypt server.
# - Leave comment to go to prod.
#
# Optional
#
# caServer = "https://acme-staging.api.letsencrypt.org/directory"

# Domains list.
#
# [[acme.domains]]
# main = "local1.com"
# sans = ["test1.local1.com", "test2.local1.com"]
# [[acme.domains]]
# main = "local2.com"
# sans = ["test1.local2.com", "test2.local2.com"]
# [[acme.domains]]
# main = "local3.com"
# [[acme.domains]]
# main = "local4.com"

storage

[acme]
# ...
storage = "acme.json"
# ...

File or key used for certificates storage.

WARNING If you use Traefik in Docker, you have 2 options:

  • create a file on your host and mount it as a volume:
storage = "acme.json"
docker run -v "/my/host/acme.json:acme.json" traefik
  • mount the folder containing the file as a volume
storage = "/etc/traefik/acme/acme.json"
docker run -v "/my/host/acme:/etc/traefik/acme" traefik

dnsProvider

[acme]
# ...
dnsProvider = "digitalocean"
# ...

Use a DNS based acme challenge rather than external HTTPS access, e.g. for a firewalled server.

Select the provider that matches the DNS domain that will host the challenge TXT record, and provide environment variables with access keys to enable setting it:

Provider Configuration
Cloudflare CLOUDFLARE_EMAIL, CLOUDFLARE_API_KEY
DigitalOcean DO_AUTH_TOKEN
DNSimple DNSIMPLE_EMAIL, DNSIMPLE_OAUTH_TOKEN
DNS Made Easy DNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET
Exoscale EXOSCALE_API_KEY, EXOSCALE_API_SECRET
Gandi GANDI_API_KEY
Linode LINODE_API_KEY
manual none, but run Traefik interactively & turn on acmeLogging to see instructions & press Enter.
Namecheap NAMECHEAP_API_USER, NAMECHEAP_API_KEY
RFC2136 RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER
Route 53 AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, or configured user/instance IAM profile.
dyn DYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORD
VULTR VULTR_API_KEY
OVH OVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY
pdns PDNS_API_KEY, PDNS_API_URL

delayDontCheckDNS

[acme]
# ...
delayDontCheckDNS = 0
# ...

By default, the dnsProvider will verify the TXT DNS challenge record before letting ACME verify.
If delayDontCheckDNS is greater than zero, avoid this & instead just wait so many seconds.

Useful if internal networks block external DNS queries.

onDemand

[acme]
# ...
onDemand = true
# ...

Enable on demand certificate.

This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.

Warning

TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.

Warning

Take note that Let's Encrypt have rate limiting

onHostRule

[acme]
# ...
onHostRule = true
# ...

Enable certificate generation on frontends Host rules.

This will request a certificate from Let's Encrypt for each frontend with a Host rule.

For example, a rule Host:test1.traefik.io,test2.traefik.io will request a certificate with main domain test1.traefik.io and SAN test2.traefik.io.

caServer

[acme]
# ...
caServer = "https://acme-staging.api.letsencrypt.org/directory"
# ...

CA server to use.

  • Uncomment the line to run on the staging Let's Encrypt server.
  • Leave comment to go to prod.

domains

[acme]
# ...
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
# ...

You can provide SANs (alternative domains) to each main domain. All domains must have A/AAAA records pointing to Traefik.

Warning

Take note that Let's Encrypt have rate limiting.

Each domain & SANs will lead to a certificate request.