Disabling certificate issuance 'certificatesResolvers' for one domain.

Traefik Traefik v3 (latest)
,
1

Hei!

I have a virtual machine that should automatically receive and maintain certificates, but the problem is that I have other virtual machines for which Traefik receives certificates.

The problem is that Traefik intercepts requests, and the virtual machine isn't receiving certificates.

DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:84 > Unable to split host and port. Fallback to request host. error="address up.srv.mydomain.com: missing port in address" providerName=acme
DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:104 > Retrieving the ACME challenge for up.srv.mydomain.com (token "9RKPOPV1X32tq8xB7G3LnKQdcPYYsADrcBKZVqMbkVM")... providerName=acme
ERR github.com/traefik/traefik/v3/pkg/provider/acme/challenge_http.go:110 > Cannot retrieve the ACME challenge for up.srv.mydomain.com (token "9RKPOPV1X32tq8xB7G3LnKQdcPYYsADrcBKZVqMbkVM") providerName=acme

I tried using "reusePort," but it didn't work very well. It works, then it doesn't.
I tried using the fake "certificatesResolvers," but that didn't work either (I might be doing something wrong).

Kiitos!

traefik.yaml

entryPoints:
  http:
    address: ":80"
    proxyProtocol:
      insecure: true
    forwardedHeaders:
      insecure: true

  https:
    address: ":443"
    proxyProtocol:
      insecure: true
    forwardedHeaders:
      insecure: true

  tcp_8800:
    address: ":8800"
    proxyProtocol:
      insecure: true
    forwardedHeaders:
      insecure: true
log:
  filePath: "/var/log/traefik/traefik.log"
  level: DEBUG
  format: common
accessLog:
  filePath: "/var/log/traefik/traefik_access.log"
  format: common
  fields:
    defaultMode: debug
http:
  routers:
    http-catchall:
      rule: hostregexp(`{host:.+}`)
      entrypoints:
      - http
      middlewares:
      - redirect-to-https
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https
        permanent: true
        port: "443"
providers:
  file:
    directory: /etc/traefik/custom
    watch: true

certificatesResolvers:
  LetsEncrypt:
    acme:
      email: buan@mydomain.com
      storage: /etc/traefik/acme.json
      httpChallenge:
        entryPoint: http

host_up.srv.mydomain.com.yaml

tcp:
  routers:
    routes_tcp_up.srv.mydomain.com:
      rule: "HostSNI(`up.srv.mydomain.com`)"
      service: service_tcp_up.srv.mydomain.com
      entryPoints:
      - https
      tls:
        passthrough: true
  services:
    service_tcp_up.srv.mydomain.com:
      loadBalancer:
        servers:
        - address: "192.168.88.14:443"
http:
  routers:
    host_http_up.srv.mydomain.com:
      service: service-host_http_up.srv.mydomain.com
      rule: "Host(`up.srv.mydomain.com`) || Host(`www.up.srv.mydomain.com`)"
      entryPoints:
        - http
  services:
    service-host_http_up.srv.mydomain.com:
      loadBalancer:
        serversTransport: transport_http_up.srv.mydomain.com
        servers:
        - url: "http://192.168.88.14"
        passHostHeader: true

  serversTransports:
    transport_http_up.srv.mydomain.com:
      insecureSkipVerify: true
2

It seems you created certResolver "LetsEncrypt", but it has not been assigned to any entrypoint or router, so it will not do anything.

If you want the service behind Traefik to manage their own TLS certificate, then you should use httpChallenge or dnsChallenge there. Traefik can use tlsChallenge or dnsChallenge.

But Traefik also needs a TLS cert for that service, otherwise it is not able to look into the packets and can not use HostSNI(). The usual work-around is to use a different port for the encrypted requests.

3

Thank you for your interest in my problem.

There was some confusion because I have an "entryPoint" assigned to "http."

It's right at the very end of my "traefik.yaml."

Thank you.