(Sorry for the double back ticks, seems like escaping backticks doesn't work)
With this setup:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
httpChallenge:
entryPoint: web
Traefik creates two internal routes:
- web-to-websecure@internal:
HostRegexp(``{host:.+}``)
- acme-http@internal:
PathPrefix(``/.well-known/acme-challenge/``)
which are the only two routes I have on the "web" entrypoint.
I would assume that acme-http@internal
would get a higher priority, since the rule is longer, but for some reason, the HTTP-01 challenge requests are given to web-to-websecure@internal
, not acme-http@internal
:
Jan 20 14:31:39 *** traefik[19687]: 2600:1f14:804:fd01:*** - - [20/Jan/2021:14:31:39 +0000] "GET /.well-known/acme-challenge/uu6anJCMiaRvIo*** HTTP/1.1" 301 17 "-" "-" 16 "web-to-websecure@internal" "-" 0ms
And of course this fails if we don't already have a certificate.
I struggle to understand why web-to-websecure@internal
is prioritized over acme-http@internal here.
If I temporarily disable the http.redirections
block, the HTTP-01 challenge works.