Skip to main content

Post Install ACME Falining Fix

This guide walks you through the exact steps to diagnose and fix ACME certificate issues during a Pangolin installation. These steps cover the most common real‑world causes: DNS mismatches, blocked ports, Traefik misconfiguration, and redirect loops. Follow the checklist in order—each step rules out a specific failure point so you can quickly identify what’s wrong and get ACME issuing certificates again.


Troubleshoot Steps

Verify DNS is pointing to the correct server

ACME will always fail if DNS points to the wrong IP.

  • A yourdomain.com → <your VPS IP>

  • A *.yourdomain.com → <your VPS IP>

  1. Check your server’s public IP and make sure it matches your DNS records
curl ifconfig.me

Test port 80 from outside the server

ACME HTTP‑01 requires port 80 to be reachable publicly.

  1. From your laptop or phone:

curl -I http://yourdomain.com

Interpret the result:

  • 200 / 301 / 404 → Port 80 is open (good)

  • Timeout → Firewall or provider is blocking port 80

  • Connection refused → Traefik is not listening on port 80


3.

Check VPS firewall (UFW)

On the server:

bash


sudo ufw status

You must see:

CodeYou should see


80/tcp   ALLOW
443/tcp  ALLOW

If missing:

bash


sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

4.

Check hosting provider firewall (Hetzner Cloud Firewall)

For example Hetzner has an external firewall that overrides UFW.UFW

  1. InGo Hetznerto dashboard:your VPS dashboard

  2. Server → Networking → Firewalls

    3. You must allow:

Code


TCP 80
TCP 443

If port 80 is missing → ACME will fail every time.


 

5.

Confirm Traefik is listening on port 80

On the server:

  1. bashSSH into server and run following command


sudo ss -tulpn | grep :80

Expected:

Code


docker-proxy ... LISTEN ... :80

If nothing is listening → Traefik didn’t bind to port 80.


 

6.

Disable HTTP→HTTPS redirect during ACME

This is the most common Traefik mistake.issue.

If Traefik redirects ACME requests to HTTPS before a certificate exists, ACME fails.

  1. LookSSH forinto thisthe server, and go to dynamic-compose.yaml. Usually in yourconfig dynamic> config:traefik folder

    2. yaml


    middlewares:
  - redirect-to-https

    Or:

    yaml


main-app-router-redirect:
  entryPoints:
    - web
  middlewares:
    - redirect-to-https

  1. Temporarily comment out the redirect:

    2. yaml


# - redirect-to-https

  1. Restart Traefik:

    2. bash


sudo docker compose restart traefik

Uncomment the redirect after successful redirect

7.

Ensure ACME is using HTTP‑01 on the correct entrypoint

In traefik_config.yml:traefik onfig yaml

yaml


httpChallenge:
  entryPoint: web

Entrypoints must be:

yaml


entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

8. Check for CrowdSec blocking ACME

CrowdSec sometimes blocks Let’s Encrypt IPs.

If you see errors like:

  • invalid authorization

  • timeout during connect

  • missing token

Temporarily disable CrowdSec middleware:

yaml


# - crowdsec@file

Restart Traefik.


9. Restart Traefik and watch ACME logs

Traefik retries ACME automatically.

bash


docker logs traefik -f

You want to see:

Code


Server responded with certificate

10. Re-enable HTTPS redirect after certificate is issued

Once ACME succeeds, you can safely turn HTTPS redirect back on:

yaml


middlewares:
  - redirect-to-https

Restart Traefik again.


11. Verify HTTPS is working

From your laptop:

bash


curl -I https://yourdomain.com

You should see:

Code


HTTP/2 200

Or a redirect.


12. Confirm Pangolin + Newt tunnel works

Once ACME is fixed:

  • Pangolin can issue tokens

  • WebSocket handshake succeeds

  • Newt receives WireGuard config

  • Tunnel comes up normally

 



Back to top