Treafik cannot negotiate ALPN

mklooster · May 29, 2026, 10:26am

Description

We recently installed rocketchat using docker compose. We used this guide: Deploy with Docker and Docker Compose . However we were not able to get HTTPS working using treafik. It is unable to generate a certificate using Let’s Encrypt.

The Treafik logs are showing the following the following error:
2026-05-28T21:08:06Z ERR Unable to obtain ACME certificate for domains error=“unable to generate a certificate for the domains [``mydomain.com``]: error: one or more domains had a problem:\n[``mydomain.com``] invalid authorization: acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge\n” ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=[“``mydomain.com``”] providerName=le.acme routerName=rocketchat@file rule=Host(``mydomain.com``)

We’ve tried changing the .env config file, but we are not able to fix the isue.

Server Setup Information

Version of Rocket.Chat Server: 8.4.0
Operating System: Ubuntu 24.04.4 LTS
Deployment Method: Docker
Number of Running Instances: 1
DB Replicaset Oplog:
NodeJS Version:
MongoDB Version:
Proxy: Treafik
Firewalls involved: None

Any additional Information

We’ve not changed the compose.treafik.yml.

This is our .env file:

#!/bin/sh

Change these

REG_TOKEN=
DOMAIN=mydomain.com
ROOT_URL=https://mydomain.com
RELEASE=8.4.0

Change to true after you set your domain and valid lets encrypt email

LETSENCRYPT_ENABLED=true
LETSENCRYPT_EMAIL=myemail@mydomain.com
TRAEFIK_PROTOCOL=https

Prometheus

PROMETHEUS_RETENTION_SIZE=15GB
PROMETHEUS_RETENTION_TIME=15d

default prometheus port (9090) conflicts with cockpit in centos

PROMETHEUS_PORT=9000

Grafana

Set to empty string to use a subpath

GRAFANA_DOMAIN=grafana.mydomain.com

set to /grafana to use from a subpath

GRAFANA_PATH=/grafana

GRAFANA_ADMIN_PASSWORD=rc-admin
GRAFANA_HOST_PORT=5050
GRAFANA_BIND_IP=127.0.0.1

Traefik ports

TRAEFIK_HTTP_PORT=80
TRAEFIK_DASHBOARD_PORT=8080
TRAEFIK_HTTPS_PORT=443

MongoDB

MONGODB_BIND_IP=127.0.0.1
MONGODB_PORT_NUMBER=27017

Nats

NATS_PORT_NUMBER=4222
NATS_BIND_IP=127.0.0.1

reetp · May 29, 2026, 7:26pm

Try searching your error:

“invalid authorization: acme: error: 403”

Then fix your webserver/reverse proxy.

That’s your problem. Letsencrypt can’t see the right files/dirs. Your webserver logs will show you where the errors are.

mklooster · June 1, 2026, 7:49pm

Hi,

We’ve managed to fix the issue. There was a wrong DNS setting. The AAAA was not set correct.

Thank you for your help!

Topic		Replies	Views
Rocketchat with Letsencrypt Community Support	1	240	November 15, 2024
RC 7.3.1. on fedora 41 in Docker needs a valid certifacte Community Support	5	49	February 22, 2025
Deploy with Docker on Digital ocean - enabling https Community Support	3	161	October 1, 2024
HTTPS / SSL setup via docker Community Support docker	1	39	April 15, 2026
How to secure Dockerized Rocketchat with SSL using Traefik? Community Support docker	0	142	March 27, 2025

[Secure CommsOS™ Launch] Join our next Roadmap Reveal webinar to learn more Register now ->

Treafik cannot negotiate ALPN

Description

Server Setup Information

Any additional Information

Related topics