Entrypoint does not resolve service correctly if tls.certResolver is set

I struggled hours trying to understand what is wrong with my setup, until I discovered that removing the tls.certResolver option (using an ACME provider) from my HTTP router is the key. But I don't understand why, please explain me what is going on... I need to reintroduce that option.

The problem: I am getting a 404 when trying to access my service

Consider the following:

  1. I am working on a local development environment. I expect ACME protocol to fail: no problem

  2. My initial setup involved several services, i cut them down to the essential: traefik and a webservice

    ./docker-compose.yml

    services:
      traefik:
        image: traefik:v3.2
        command:
        - "--accesslog=true"
        - "--accesslog.format=json"
        - "--api.debug=true"
        - "--api.insecure=true"
        - "--api=true"
        - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
        - "--certificatesresolvers.myresolver.acme.email=my@email.com"
        - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
        - "--certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json"
        - "--entryPoints.web.address=:80"
        - "--entryPoints.websecure.address=:443"
        - "--log.level=DEBUG"
        - "--providers.file.directory=/etc/traefik"
        - "--providers.file.watch=true"
        - "--serverstransport.insecureskipverify"
        - "--tracing.otlp.http.endpoint=http://collector:4318/v1/traces"
        - "--tracing=true"
        volumes:
          - ./traefik:/etc/traefik
        ports:
          - "80:80"
          - "443:443"
          - "8080:8080"
        restart: "unless-stopped"
    
      fuertetop:
        build:
          context: ./fuertetop
        environment:
          PORT: "9999"
        ports:
          - "9999"
    

    ./traefik/base.yml

    http:
      routers:
        fuertetop:
          entrypoints:
          - web
          - websecure
          rule: "Host(`www.fuertetop.com`) || Host(`fuertetop.com`)"
          service: fuertetop
          #tls:
          #  certResolver: myresolver
    
      services:
        fuertetop:
          loadBalancer:
            servers:
              - url: http://fuertetop:9999/
    
  3. When I uncomment the tls.certResolver option from by base.yml config, I can clearly see that the entrypoint does not match any service. This is reflected by the logs, which does not include any ServiceName:

    {
      "ClientAddr":"172.28.0.1:60366",
      "ClientHost":"172.28.0.1",
      "ClientPort":"60366",
      "ClientUsername":"-",
      "DownstreamContentSize":19,
      "DownstreamStatus":404,
      "Duration":36465,
      "GzipRatio":0,
      "OriginContentSize":0,
      "OriginDuration":0,
      "OriginStatus":0,
      "Overhead":36465,
      "RequestAddr":"www.fuertetop.com",
      "RequestContentSize":0,
      "RequestCount":2,
      "RequestHost":"www.fuertetop.com",
      "RequestMethod":"GET",
      "RequestPath":"/favicon.ico",
      "RequestPort":"-",
      "RequestProtocol":"HTTP/1.1",
      "RequestScheme":"http",
      "RetryAttempts":0,
      "SpanId":"42eb2cd422bfe363",
      "StartLocal":"2025-02-02T15:58:14.601864457Z",
      "StartUTC":"2025-02-02T15:58:14.601864457Z",
      "TraceId":"861ba7cd3adbde4018db8e7e2955c70f",
      "entryPointName":"web",
      "level":"info",
      "msg":"",
      "time":"2025-02-02T15:58:14Z"
    }
    
  4. The dashboard, however, does not seem to indicate any problem with the chaining from Entrypoint to Router to Service:


  5. It simply seem that the failing of the ACME protocol (as shown by the last line in the logs - which were too long to attach here) determines the unavailability of the service by the entrypoint

You enable TLS on web and websecure, that seems strange. Usually you would assign the certResolver only to websecure entrypoint. Or assign certResolver to router that only listen on websecure. Check simple Traefik example.

removing the tls.certResolver from all routers, and placing it into the cmdline arguments into the entrypoint solved my problem, thank you