Post Install ACME Falining Fix

This guide walks you through the exact steps to diagnose and fix ACME certificate issues during a Pangolin installation. These steps cover the most common real‑world causes: DNS mismatches, blocked ports, Traefik misconfiguration, and redirect loops. Follow the checklist in order—each step rules out a specific failure point so you can quickly identify what’s wrong and get ACME issuing certificates again.

Troubleshoot Steps

Verify DNS is pointing to the correct server

ACME will always fail if DNS points to the wrong IP.

A yourdomain.com → <your VPS IP>
A *.yourdomain.com → <your VPS IP>

Check your server’s public IP and make sure it matches your DNS records

curl ifconfig.me

Test port 80 from outside the server

ACME HTTP‑01 requires port 80 to be reachable publicly.

From your laptop or phone:

curl -I http://yourdomain.com

Interpret the result:

200 / 301 / 404 → Port 80 is open (good)
Timeout → Firewall or provider is blocking port 80
Connection refused → Traefik is not listening on port 80

Check VPS firewall (UFW)

sudo ufw status

You should see

80/tcp   ALLOW
443/tcp  ALLOW

If missing:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Check hosting provider firewall

For example Hetzner has an external firewall that overrides UFW

Go to your VPS dashboard
Server → Networking → Firewalls

TCP 80
TCP 443

If port 80 is missing → ACME will fail every time.

Confirm Traefik is listening on port 80

SSH into server and run following command

sudo ss -tulpn | grep :80

Expected:

docker-proxy ... LISTEN ... :80

If nothing is listening → Traefik didn’t bind to port 80.

Disable HTTP→HTTPS redirect during ACME

This is the most common Traefik issue.

If Traefik redirects ACME requests to HTTPS before a certificate exists, ACME fails.

SSH into the server, and go to dynamic-compose.yaml. Usually in config > traefik folder

main-app-router-redirect:
  entryPoints:
    - web
  middlewares:
    - redirect-to-https

Temporarily comment out the redirect:

# - redirect-to-https

Restart Traefik:

sudo docker compose restart traefik

Uncomment the redirect after successful redirect

Ensure ACME is using HTTP‑01 on the correct entrypoint

In traefik onfig yaml

httpChallenge:
  entryPoint: web

Entrypoints must be:

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

BookStack Installation Guide

Authentik Docker Compose Install

Authentik Passwordless Login

Authentik OAuth/ OIDC Setup - Portainer

Authentik OAuth/ OIDC Setup - Home Assistnat

Pangolin Install Guide

Post Install ACME Falining Fix

Installing Dockpeek

NUT in Synology

Install Komodo Periphery Agents

Installing Proxmox Backup Server

Installing Gotify with iGotify for iOS

Gotify Compose File

Installing UxPlay on Linux

Run UxPlay as a systemd service

MeshCentral Installation on Ubuntu Server

Installing Docker

Dockhand Hawser Docker Compose Agent

Post Install ACME Falining Fix

Troubleshoot Steps

Verify DNS is pointing to the correct server

Test port 80 from outside the server

Check VPS firewall (UFW)

Check hosting provider firewall

Confirm Traefik is listening on port 80

Disable HTTP→HTTPS redirect during ACME

Ensure ACME is using HTTP‑01 on the correct entrypoint