Problem setting up an MQTT broker + TLS + LETSENCRYPT certificate

hello,

I have been trying to get my mqtt + TLS broker behind Traefik to work for hours but without convincing results.

The broker's administration web server works perfectly in https with letsencrypt but I can't produce the equivalent with the MQTT connection on port 8883

Could someone please help me?

Here is my setup

version: '3.4'
services:

  reverse-proxy:
    image: traefik:${TRAEFIK_VERSION}
    restart: unless-stopped
    ports:
    - 80:80
    - 443:443
    - 8883:8883
    command:
    - --log.level=DEBUG
    - --providers.docker=true
    - --providers.docker.exposedbydefault=false


    # Entrypoints
    - --entrypoints.web.address=:80
    - --entrypoints.webSecure.address=:443
    - --entrypoints.mqtt.address=:8883


    # Redirect http to https
    - --entrypoints.web.http.redirections.entrypoint.to=webSecure
    - --entrypoints.web.http.redirections.entrypoint.scheme=https


    # Let's encrypt configuration
    - --certificatesresolvers.le.acme.email=contact@hexa-ai.fr
    - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
    - --certificatesresolvers.le.acme.tlschallenge=true

    volumes:
    - v_traefik:/letsencrypt
    - /var/run/docker.sock:/var/run/docker.sock
 emqx-service:
    image: emqx/emqx:${EMQX_VERSION}
    restart: unless-stopped
    environment:
      - EMQX_LOADED_PLUGINS="emqx_recon,emqx_retainer,emqx_management,emqx_dashboard,emqx_auth_http"
      - EMQX_AUTH__HTTP__AUTH_REQ__URL=${EMQX_AUTH__HTTP__AUTH_REQ__URL}
      - EMQX_AUTH__HTTP__AUTH_REQ__PARAMS=clientId=%c,username=%u,password=%P
      - EMQX_AUTH__HTTP__ACL_REQ__URL=${EMQX_AUTH__HTTP__ACL_REQ__URL}
      - EMQX_AUTH__HTTP__ACL_REQ__PARAMS=access=%A,username=%u,clientId=%c,ipaddr=%a,topic=%t,mountpoint=%m
      - EMQX_ZONE__EXTERNAL__PUBLISH_LIMIT=${EMQX_ZONE__EXTERNAL__PUBLISH_LIMIT}
      - EMQX_MQTT__MAX_PACKET_SIZE=10MB
    volumes:
      - v_emqx-data:/opt/emqx/data
      - v_emqx-etc:/opt/emqx/etc
      - v_emqx-log:/opt/emqx/log
    # ports:
    # - 8883:8883
     # - 3000:18083
    labels:
    - "traefik.enable=true"

    - "traefik.http.routers.emqx-service.rule=Host(`mqtt.hexa-data.fr`)"
    - "traefik.http.routers.emqx-service.tls.certresolver=le"
    - "traefik.http.services.emqx-service.loadbalancer.server.port=18083"

    # - "traefik.tcp.routers.emqx-service.rule=HostSNI(`*`)"
    # - "traefik.tcp.routers.emqx-service.tls.certresolver=le"
    # - "traefik.tcp.services.emqx-service.loadbalancer.server.port=8883"


    # Entrypoints
    # - "traefik.tcp.routers.emqx-service.entrypoints=mqtt"
    - "traefik.http.routers.emqx-service.entrypoints=webSecure"


    - "traefik.tcp.routers.emqx-service.rule=HostSNI(`*`)"
    - "traefik.tcp.routers.emqx-service.tls.certresolver=le"
    - "traefik.tcp.services.emqx-service.loadbalancer.server.port=8883"
    - "traefik.tcp.routers.emqx-service.entrypoints=mqtt"


    extra_hosts:
    - "host.docker.internal:host-gateway"

Is the MQTT protocol based on HTTP? I am not sure if you can use HostSNI. (Docs)

    - "traefik.tcp.routers.emqx-service.rule=HostSNI(`*`)"

Did you try to use different router names?

    - "traefik.http.services.emqx-service.loadbalancer.server.port=18083"
    - "traefik.tcp.services.emqx-service-TCP.loadbalancer.server.port=8883"

Maybe provide your container config with labels.