Post Install ACME Falining Fix

This guide walks you through the exact steps to diagnose and fix ACME certificate issues during a Pangolin installation. These steps cover the most common real‑world causes: DNS mismatches, blocked ports, Traefik misconfiguration, and redirect loops. Follow the checklist in order—each step rules out a specific failure point so you can quickly identify what’s wrong and get ACME issuing certificates again.

Troubleshoot Steps

Verify DNS is pointing to the correct server

ACME will always fail if DNS points to the wrong IP.

A yourdomain.com → <your VPS IP>
A *.yourdomain.com → <your VPS IP>

Check your server’s public IP and make sure it matches your DNS records

curl ifconfig.me

Test port 80 from outside the server

ACME HTTP‑01 requires port 80 to be reachable publicly.

From your laptop or phone:

curl -I http://yourdomain.com

Interpret the result:

200 / 301 / 404 → Port 80 is open (good)
Timeout → Firewall or provider is blocking port 80
Connection refused → Traefik is not listening on port 80

3.

Check VPS firewall (UFW)

~~On the server:~~

~~bash~~

sudo ufw status

~~You must see:~~

~~Code~~You should see

80/tcp   ALLOW
443/tcp  ALLOW

If missing:

~~bash~~

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

4.

Check hosting provider firewall (Hetzner Cloud Firewall)

For example Hetzner has an external firewall that overrides ~~UFW.~~UFW

InGo ~~Hetzner~~to ~~dashboard:~~your VPS dashboard

Server → Networking → Firewalls

~~You must allow:~~

~~Code~~

TCP 80
TCP 443

If port 80 is missing → ACME will fail every time.

5.

Confirm Traefik is listening on port 80

~~On the server:~~

~~bash~~SSH into server and run following command

sudo ss -tulpn | grep :80

Expected:

~~Code~~

docker-proxy ... LISTEN ... :80

If nothing is listening → Traefik didn’t bind to port 80.

6.

Disable HTTP→HTTPS redirect during ACME

This is the most common Traefik ~~mistake.~~issue.

If Traefik redirects ACME requests to HTTPS before a certificate exists, ACME fails.

~~Look~~SSH ~~for~~into ~~this~~the server, and go to dynamic-compose.yaml. Usually in ~~your~~config ~~dynamic~~> ~~config:~~traefik folder

~~yaml~~

middlewares:
  - redirect-to-https

~~Or:~~

~~yaml~~

main-app-router-redirect:
  entryPoints:
    - web
  middlewares:
    - redirect-to-https

Temporarily comment out the redirect:

~~yaml~~

# - redirect-to-https

Restart Traefik:

~~bash~~

sudo docker compose restart traefik

Uncomment the redirect after successful redirect

7.

Ensure ACME is using HTTP‑01 on the correct entrypoint

In traefik_config.yml:traefik onfig yaml

~~yaml~~

httpChallenge:
  entryPoint: web

Entrypoints must be:

~~yaml~~

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

8. Check for CrowdSec blocking ACME

~~CrowdSec sometimes blocks Let’s Encrypt IPs.~~

~~If you see errors like:~~

invalid authorization

timeout during connect

missing token

~~Temporarily disable CrowdSec middleware:~~

~~yaml~~

# - crowdsec@file

~~Restart Traefik.~~

9. Restart Traefik and watch ACME logs

~~Traefik retries ACME automatically.~~

~~bash~~

docker logs traefik -f

~~You want to see:~~

~~Code~~

Server responded with certificate

10. Re-enable HTTPS redirect after certificate is issued

~~Once ACME succeeds, you can safely turn HTTPS redirect back on:~~

~~yaml~~

middlewares:
  - redirect-to-https

~~Restart Traefik again.~~

11. Verify HTTPS is working

~~From your laptop:~~

~~bash~~

curl -I https://yourdomain.com

~~You should see:~~

~~Code~~

HTTP/2 200

~~Or a redirect.~~

12. Confirm Pangolin + Newt tunnel works

~~Once ACME is fixed:~~

~~Pangolin can issue tokens~~

~~WebSocket handshake succeeds~~

~~Newt receives WireGuard config~~

~~Tunnel comes up normally~~