Globally enabled http to https blocks cert manager http challenge

Hi all,

I've read many posts on similar subject but I couldn't find answer for my issue.

I'm using traefik 2.10 with globally enabled http to https redirection since I have large k8s cluster with about 30+ applications with mix of http and https exposed ingresses, so global redirection comes in handy.
However, I'm getting issue with ACME solver pods since our ACME server works only with http (not like letsencrypt which can handle https on http-01 challenges). In addition we can't switch to DNS challenge.

So what can be done to overcome this issue since I couldn't find right approach to exclude .well-known/acme-challenge path from being redirected to https.

You can set priority on entrypoint and have a router that is higher (larger) to still forward plain http .well-known/acme-challenge to a service. It works, see Traefik certbot proof-of-concept.

Hmm, maybe this could be worth of try, but why do you say it's not production ready?

The whole certbot script is just a hack. TLS is supplied by http to the Traefik instances, reloaded every 15 seconds. If there is an issue with certbot in that scenario, suddenly TLS is gone.

Thanks for help, but I need more proven and stable solution since this is production cluster.
I can't imagine that someone didn't solve this since I've seen many posts, but no concrete solution :frowning:

Traefik and setting priority is very stable :slight_smile: