Skip to content

ACME (Let's Encrypt) Configuration

See Let's Encrypt examples and Docker & Let's Encrypt user guide as well.

Configuration

# Sample entrypoint configuration when using ACME.
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
# Enable ACME (Let's Encrypt): automatic SSL.
[acme]

# Email address used for registration.
#
# Required
#
email = "[email protected]"

# File used for certificates storage.
#
# Optional (Deprecated)
#
#storageFile = "acme.json"

# File or key used for certificates storage.
#
# Required
#
storage = "acme.json"
# or `storage = "traefik/acme/account"` if using KV store.

# Entrypoint to proxy acme apply certificates to.
#
# Required
#
entryPoint = "https"

# Deprecated, replaced by [acme.dnsChallenge].
#
# Optional.
#
# dnsProvider = "digitalocean"

# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
#
# Optional
# Default: 0
#
# delayDontCheckDNS = 0

# If true, display debug log messages from the acme client library.
#
# Optional
# Default: false
#
# acmeLogging = true

# If true, override certificates in key-value store when using storeconfig.
#
# Optional
# Default: false
#
# overrideCertificates = true

# Deprecated. Enable on demand certificate generation.
#
# Optional
# Default: false
#
# onDemand = true

# Enable certificate generation on frontends host rules.
#
# Optional
# Default: false
#
# onHostRule = true

# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
#
# Optional
# Default: "https://acme-v02.api.letsencrypt.org/directory"
#
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

# KeyType to use.
#
# Optional
# Default: "RSA4096"
#
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
#
# KeyType = "RSA4096"

# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
[acme.tlsChallenge]

# Use a HTTP-01 ACME challenge.
#
# Optional
#
# [acme.httpChallenge]

  # EntryPoint to use for the HTTP-01 challenges.
  #
  # Required
  #
  # entryPoint = "http"

# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
# [acme.dnsChallenge]

  # DNS provider used.
  #
  # Required
  #
  # provider = "digitalocean"

  # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
  # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
  # Useful if internal networks block external DNS queries.
  #
  # Optional
  # Default: 0
  #
  # delayBeforeCheck = 0

  # Use following DNS servers to resolve the FQDN authority.
  #
  # Optional
  # Default: empty
  #
  # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

  # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
  #
  # NOT RECOMMENDED:
  # Increase the risk of reaching Let's Encrypt's rate limits.
  #
  # Optional
  # Default: false
  #
  # disablePropagationCheck = true

# Domains list.
# Only domains defined here can generate wildcard certificates.
# The certificates for these domains are negotiated at traefik startup only.
#
# [[acme.domains]]
#   main = "local1.com"
#   sans = ["test1.local1.com", "test2.local1.com"]
# [[acme.domains]]
#   main = "local2.com"
# [[acme.domains]]
#   main = "*.local3.com"
#   sans = ["local3.com", "test1.test1.local3.com"]

caServer

The CA server to use.

This example shows the usage of Let's Encrypt's staging server:

[acme]
# ...
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# ...

ACME Challenge

tlsChallenge

Use the TLS-ALPN-01 challenge to generate and renew ACME certificates by provisioning a TLS certificate.

[acme]
# ...
entryPoint = "https"
[acme.tlsChallenge]

Note

If the TLS-ALPN-01 challenge is used, acme.entryPoint has to be reachable by Let's Encrypt through port 443. This is a Let's Encrypt limitation as described on the community forum.

httpChallenge

Use the HTTP-01 challenge to generate and renew ACME certificates by provisioning a HTTP resource under a well-known URI.

Redirection is fully compatible with the HTTP-01 challenge.

[acme]
# ...
entryPoint = "https"
[acme.httpChallenge]
  entryPoint = "http"

Note

If the HTTP-01 challenge is used, acme.httpChallenge.entryPoint has to be defined and reachable by Let's Encrypt through port 80. This is a Let's Encrypt limitation as described on the community forum.

entryPoint

Specify the entryPoint to use during the challenges.

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
# ...

[acme]
  # ...
  entryPoint = "https"
  [acme.httpChallenge]
    entryPoint = "http"

Note

acme.httpChallenge.entryPoint has to be reachable through port 80. It's a Let's Encrypt limitation as described on the community forum.

dnsChallenge

Use the DNS-01 challenge to generate and renew ACME certificates by provisioning a DNS record.

[acme]
# ...
[acme.dnsChallenge]
  provider = "digitalocean"
  delayBeforeCheck = 0
# ...
delayBeforeCheck

By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.

Useful if internal networks block external DNS queries.

Note

A provider is mandatory.

provider

Here is a list of supported providers, that can automate the DNS verification, along with the required environment variables and their wildcard & root domain support for each. Do not hesitate to complete it.

Provider Name Provider Code Environment Variables Wildcard & Root Domain Support
ACME DNS acme-dns ACME_DNS_API_BASE, ACME_DNS_STORAGE_PATH Not tested yet
Alibaba Cloud alidns ALICLOUD_ACCESS_KEY, ALICLOUD_SECRET_KEY, ALICLOUD_REGION_ID Not tested yet
Auroradns auroradns AURORA_USER_ID, AURORA_KEY, AURORA_ENDPOINT Not tested yet
Azure azure AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESOURCE_GROUP, [AZURE_METADATA_ENDPOINT] Not tested yet
Blue Cat bluecat BLUECAT_SERVER_URL, BLUECAT_USER_NAME, BLUECAT_PASSWORD, BLUECAT_CONFIG_NAME, BLUECAT_DNS_VIEW Not tested yet
Cloudflare cloudflare CF_API_EMAIL, CF_API_KEY - The Global API Key needs to be used, not the Origin CA Key YES
CloudXNS cloudxns CLOUDXNS_API_KEY, CLOUDXNS_SECRET_KEY Not tested yet
ConoHa conoha CONOHA_TENANT_ID, CONOHA_API_USERNAME, CONOHA_API_PASSWORD YES
DigitalOcean digitalocean DO_AUTH_TOKEN YES
DNSimple dnsimple DNSIMPLE_OAUTH_TOKEN, DNSIMPLE_BASE_URL Not tested yet
DNS Made Easy dnsmadeeasy DNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET, DNSMADEEASY_SANDBOX Not tested yet
DNSPod dnspod DNSPOD_API_KEY Not tested yet
DreamHost dreamhost DREAMHOST_API_KEY YES
Duck DNS duckdns DUCKDNS_TOKEN No
Dyn dyn DYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORD Not tested yet
External Program exec EXEC_PATH YES
Exoscale exoscale EXOSCALE_API_KEY, EXOSCALE_API_SECRET, EXOSCALE_ENDPOINT YES
Fast DNS fastdns AKAMAI_CLIENT_TOKEN, AKAMAI_CLIENT_SECRET, AKAMAI_ACCESS_TOKEN Not tested yet
Gandi gandi GANDI_API_KEY Not tested yet
Gandi v5 gandiv5 GANDIV5_API_KEY YES
Glesys glesys GLESYS_API_USER, GLESYS_API_KEY, GLESYS_DOMAIN Not tested yet
GoDaddy godaddy GODADDY_API_KEY, GODADDY_API_SECRET Not tested yet
Google Cloud DNS gcloud GCE_PROJECT, GCE_SERVICE_ACCOUNT_FILE YES
hosting.de hostingde HOSTINGDE_API_KEY, HOSTINGDE_ZONE_NAME Not tested yet
HTTP request httpreq HTTPREQ_ENDPOINT, HTTPREQ_MODE, HTTPREQ_USERNAME, HTTPREQ_PASSWORD YES
IIJ iij IIJ_API_ACCESS_KEY, IIJ_API_SECRET_KEY, IIJ_DO_SERVICE_CODE Not tested yet
INWX inwx INWX_USERNAME, INWX_PASSWORD YES
Lightsail lightsail AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DNS_ZONE Not tested yet
Linode linode LINODE_API_KEY Not tested yet
Linode v4 linodev4 LINODE_TOKEN Not tested yet
manual - none, but you need to run Traefik interactively, turn on acmeLogging to see instructions and press Enter. YES
MyDNS.jp mydnsjp MYDNSJP_MASTER_ID, MYDNSJP_PASSWORD YES
Namecheap namecheap NAMECHEAP_API_USER, NAMECHEAP_API_KEY YES
name.com namedotcom NAMECOM_USERNAME, NAMECOM_API_TOKEN, NAMECOM_SERVER Not tested yet
Netcup netcup NETCUP_CUSTOMER_NUMBER, NETCUP_API_KEY, NETCUP_API_PASSWORD Not tested yet
NIFCloud nifcloud NIFCLOUD_ACCESS_KEY_ID, NIFCLOUD_SECRET_ACCESS_KEY Not tested yet
Ns1 ns1 NS1_API_KEY Not tested yet
Open Telekom Cloud otc OTC_DOMAIN_NAME, OTC_USER_NAME, OTC_PASSWORD, OTC_PROJECT_NAME, OTC_IDENTITY_ENDPOINT Not tested yet
OVH ovh OVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY YES
PowerDNS pdns PDNS_API_KEY, PDNS_API_URL Not tested yet
Rackspace rackspace RACKSPACE_USER, RACKSPACE_API_KEY Not tested yet
RFC2136 rfc2136 RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER Not tested yet
Route 53 route53 AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_REGION], [AWS_HOSTED_ZONE_ID] or a configured user/instance IAM profile. YES
Sakura Cloud sakuracloud SAKURACLOUD_ACCESS_TOKEN, SAKURACLOUD_ACCESS_TOKEN_SECRET Not tested yet
Selectel selectel SELECTEL_API_TOKEN YES
Stackpath stackpath STACKPATH_CLIENT_ID, STACKPATH_CLIENT_SECRET, STACKPATH_STACK_ID Not tested yet
TransIP transip TRANSIP_ACCOUNT_NAME, TRANSIP_PRIVATE_KEY_PATH YES
VegaDNS vegadns SECRET_VEGADNS_KEY, SECRET_VEGADNS_SECRET, VEGADNS_URL Not tested yet
Vscale vscale VSCALE_API_TOKEN YES
VULTR vultr VULTR_API_KEY Not tested yet

resolvers

Use custom DNS servers to resolve the FQDN authority.

domains

You can provide SANs (alternative domains) to each main domain. All domains must have A/AAAA records pointing to Traefik. Each domain & SAN will lead to a certificate request.

Note

The certificates for the domains listed in acme.domains are negotiated at traefik startup only.

[acme]
# ...
[[acme.domains]]
  main = "local1.com"
  sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
  main = "local2.com"
[[acme.domains]]
  main = "*.local3.com"
  sans = ["local3.com", "test1.test1.local3.com"]
# ...

Warning

Take note that Let's Encrypt applies rate limiting.

Note

Wildcard certificates can only be verified through a DNS-01 challenge.

Wildcard Domains

ACME V2 allows wildcard certificate support. As described in Let's Encrypt's post wildcard certificates can only be generated through a DNS-01 challenge.

[acme]
# ...
[[acme.domains]]
  main = "*.local1.com"
  sans = ["local1.com"]
# ...

It is not possible to request a double wildcard certificate for a domain (for example *.*.local.com). Due to ACME limitation it is not possible to define wildcards in SANs (alternative domains). Thus, the wildcard domain has to be defined as a main domain. Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 DNS-01 challenges are executed. In this case the generated DNS TXT record for both domains is the same. Even though this behaviour is DNS RFC compliant, it can lead to problems as all DNS providers keep DNS records cached for a certain time (TTL) and this TTL can be superior to the challenge timeout making the DNS-01 challenge fail. The Traefik ACME client library LEGO supports some but not all DNS providers to work around this issue. The provider table indicates if they allow generating certificates for a wildcard domain and its root domain.

onDemand (Deprecated)

DEPRECATED

This option is deprecated.

[acme]
# ...
onDemand = true
# ...

Enable on demand certificate generation.

This will request certificates from Let's Encrypt during the first TLS handshake for host names that do not yet have certificates.

Warning

TLS handshakes are slow when requesting a host name certificate for the first time. This can lead to DoS attacks!

Warning

Take note that Let's Encrypt applies rate limiting.

onHostRule

[acme]
# ...
onHostRule = true
# ...

Enable certificate generation on frontend Host rules (for frontends wired to the acme.entryPoint).

This will request a certificate from Let's Encrypt for each frontend with a Host rule.

For example, the rule Host:test1.traefik.io,test2.traefik.io will request a certificate with main domain test1.traefik.io and SAN test2.traefik.io.

Warning

onHostRule option can not be used to generate wildcard certificates. Refer to wildcard generation for further information.

storage

The storage option sets the location where your ACME certificates are saved to.

[acme]
# ...
storage = "acme.json"
# ...

The value can refer to two kinds of storage:

  • a JSON file
  • a KV store entry

DEPRECATED

storage replaces storageFile which is deprecated.

Note

During migration to a KV store use both storageFile and storage to migrate ACME certificates too. See storeconfig subcommand for further information.

As a File

ACME certificates can be stored in a JSON file that needs to have file mode 600.

In Docker you can either mount the JSON file or the folder containing it:

docker run -v "/my/host/acme.json:acme.json" traefik
docker run -v "/my/host/acme:/etc/traefik/acme" traefik

Warning

This file cannot be shared across multiple instances of Traefik at the same time. Please use a KV Store entry instead.

As a Key Value Store Entry

ACME certificates can be stored in a KV Store entry. This kind of storage is mandatory in cluster mode.

storage = "traefik/acme/account"

Because KV stores (like Consul) have limited entry size the certificates list is compressed before it is saved as KV store entry.

Note

It is possible to store up to approximately 100 ACME certificates in Consul.

ACME v2 Migration

During migration from ACME v1 to ACME v2, using a storage file, a backup of the original file is created in the same place as the latter (with a .bak extension).

For example: if acme.storage's value is /etc/traefik/acme/acme.json, the backup file will be /etc/traefik/acme/acme.json.bak.

Note

When Traefik is launched in a container, the storage file's parent directory needs to be mounted to be able to access the backup file on the host. Otherwise the backup file will be deleted when the container is stopped. Traefik will only generate it once!

dnsProvider (Deprecated)

DEPRECATED

This option is deprecated. Please use dnsChallenge.provider instead.

delayDontCheckDNS (Deprecated)

DEPRECATED

This option is deprecated. Please use dnsChallenge.delayBeforeCheck instead.

Fallbacks

If Let's Encrypt is not reachable, these certificates will be used:

  1. ACME certificates already generated before downtime
  2. Expired ACME certificates
  3. Provided certificates

Note

For new (sub)domains which need Let's Encrypt authentification, the default Traefik certificate will be used until Traefik is restarted.