Traefik failing to renew LE certificate when subdomain is proxied

Please excuse my ignorance in advance: I am new to this.

I run a Traefik reverse proxy in a Docker container on a VPS provider (Contabo) currently serving a Wordpress and a Jitsi instance - super simple, nothing complicated or fancy. The whole thing is set-up with docker run & compose and uses Let’s Encrypt Certificates.

I’ve transferred my domains to Cloudflare and have proxied DNS A records pointing to the VPS.

Everything was working fine for a few months until I was alerted that my site is not reachable and realized the certificates have expired. I checked the Traefik logs and found this:

time="2021-08-31T07:08:59Z" level=error msg="Error renewing certificate from LE: {traefik.domain.com []}, error: one or more domains had a problem:\n[traefik.domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge\n" providerName=lets-encrypt.acme

As soon as I disabled the proxy on Cloudflare and restarted the containers the certificate was updated and everything works fine again.

My questions:

  1. With my still limited knowledge of SSL / TLS I assume Let’s Encrypt needs to reach my Traefik instance / ACME directly to validate the domain. Correct?
  2. Does that mean I have to turn the proxy off at least when it’s time to renew or is there some workaround?
  3. Is there some way to automate the whole thing? I am surely not the first / only person experiencing this - this is surely a very simple, common setup.

Thanks in advance!

Some systems struggle with this configuration.

The easiest approach would be to install your own Cloudflare Origin CA certificate:
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

1 Like

Thank you, I have indeed created one already. Would I use it instead of Let’s Encrypt? As far as I remember it’s valid for 10 years, correct?

That would also mean, however, that if I disable proxying the websites would come up as insecure, correct? And I would have to remove the ACME configuration from the container configs?

Thanks a lot for your support!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.