Routing and HTTP-01 challenge: web-to-websecure prioritized over acme-http route?

(Sorry for the double back ticks, seems like escaping backticks doesn't work)

With this setup:

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      httpChallenge:
        entryPoint: web

Traefik creates two internal routes:

  • web-to-websecure@internal: HostRegexp(``{host:.+}``)
  • acme-http@internal: PathPrefix(``/.well-known/acme-challenge/``)

which are the only two routes I have on the "web" entrypoint.

I would assume that acme-http@internal would get a higher priority, since the rule is longer, but for some reason, the HTTP-01 challenge requests are given to web-to-websecure@internal, not acme-http@internal:

Jan 20 14:31:39 *** traefik[19687]: 2600:1f14:804:fd01:*** - - [20/Jan/2021:14:31:39 +0000] "GET /.well-known/acme-challenge/uu6anJCMiaRvIo*** HTTP/1.1" 301 17 "-" "-" 16 "web-to-websecure@internal" "-" 0ms

And of course this fails if we don't already have a certificate.

I struggle to understand why web-to-websecure@internal is prioritized over acme-http@internal here.

If I temporarily disable the http.redirections block, the HTTP-01 challenge works.

Hi @danmichaelo,

Yes that does seem to be correct. The default challenge for a letsencrypt provider is tls( TLS-ALPN-01). All that is required for that is your tls enabled entrypoint on port 443.

If you really want to use the HTTP-01 challenge set the entrypoint redirect priority lower then the .well-known one. 2147483646 should work.

TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_REDIRECTIONS_ENTRYPOINT_PRIORITY :
Priority of the generated router. (Default: 2147483647 )

The acme http challenge uses MaxInt32, 2147483647

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.