Traefik default certificate presented on - how to give 204 or redirecto to 443

Hi everyone,

I'm using Traefik 2.5 behind an NLB AWS load balancer.

The Traefik service has the following annotations: nlb http "*" <arn of AWS certificate> "websecure" "ELBSecurityPolicy-FS-1-2-Res-2019-08"

Spec section of the Traefik service:

  type: LoadBalancer
    app: traefik
  - protocol: TCP
    port: 443
    name: websecure
    targetPort: 443
  - protocol: TCP
    port: 80
    name: web

Deployment args:

        - --entryPoints.web.address=:80
        - --entryPoints.websecure.address=:443
        - --entryPoints.ssh.proxyProtocol.trustedIPs=, <private subnet ip range>
        - --entryPoints.web.proxyProtocol.trustedIPs=,<private subnet ip range>
        - --entryPoints.websecure.proxyProtocol.trustedIPs=,<private subnet ip range>
        #permanent redirecting of all requests on http (80) to https (443) using default scheme (https)
        - --entryPoints.web.http.redirections.entryPoint.scheme=https
        - --entryPoints.web.http.redirections.entrypoint.permanent=true
        #default middleware(s) prepended to each router associated with entry point
        - --entryPoints.websecure.http.middlewares=default-traefik-backend-retry@kubernetescrd 
        - --providers.kubernetesingress
        - --providers.kubernetesingress.labelselector=traffic-type=external
        - --providers.kubernetescrd

Deployment ports section:

          - name: web
            containerPort: 80
          - name: websecure
            containerPort: 443

Default backend middleware:

kind: Middleware
  name: traefik-backend-retry
  namespace: default
    attempts: 3

With this configuration if I'm hitting my url with: I'm being presented with the default Traefik certificate. However the usual redirection, from http to https works perfectly.

I have tested, to see what is the response on other websites, for example will present a 204.

I have tried to redirect port 443 to port 80 but I get the error message. I think that the controller doesn't know about the AWS ACM certificate that it is only presented at the service level and when I'm forcing the port 80 on a https:// request I'm correctly getting the default self-signed internal traefik certificate. In this case, would it be an option to present the AWS ACM cert, apply a redirect, or just return the 204 http response?

How do you usually deal with this situation in your environment? Thank you so much!