Traefik default certificate presented on https://mydomain.com:80 - how to give 204 or redirecto to 443

Hi everyone,

I'm using Traefik 2.5 behind an NLB AWS load balancer.

The Traefik service has the following annotations:

    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <arn of AWS certificate>
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "websecure"
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-FS-1-2-Res-2019-08"

Spec section of the Traefik service:

spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
  - protocol: TCP
    port: 443
    name: websecure
    targetPort: 443
  - protocol: TCP
    port: 80
    name: web

Deployment args:

        - --entryPoints.web.address=:80
        - --entryPoints.websecure.address=:443
        - --entryPoints.ssh.proxyProtocol.trustedIPs=127.0.0.1/32, <private subnet ip range>
        - --entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,<private subnet ip range>
        - --entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,<private subnet ip range>
        #permanent redirecting of all requests on http (80) to https (443) using default scheme (https)
        - --entryPoints.web.http.redirections.entryPoint.to=websecure
        - --entryPoints.web.http.redirections.entryPoint.scheme=https
        - --entryPoints.web.http.redirections.entrypoint.permanent=true
        #default middleware(s) prepended to each router associated with entry point
        - --entryPoints.websecure.http.middlewares=default-traefik-backend-retry@kubernetescrd 
        - --providers.kubernetesingress
        - --providers.kubernetesingress.labelselector=traffic-type=external
        - --providers.kubernetescrd

Deployment ports section:

ports:
          - name: web
            containerPort: 80
          - name: websecure
            containerPort: 443

Default backend middleware:

kind: Middleware
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: traefik-backend-retry
  namespace: default
spec:
  retry:
    attempts: 3
---

With this configuration if I'm hitting my url with: https://mydomain.com:80 I'm being presented with the default Traefik certificate. However the usual redirection, from http to https works perfectly.

I have tested, to see what is the response on other websites, for example https://youtube.com:80 will present a 204.

I have tried to redirect port 443 to port 80 but I get the error message. I think that the controller doesn't know about the AWS ACM certificate that it is only presented at the service level and when I'm forcing the port 80 on a https:// request I'm correctly getting the default self-signed internal traefik certificate. In this case, would it be an option to present the AWS ACM cert, apply a redirect, or just return the 204 http response?

How do you usually deal with this situation in your environment? Thank you so much!
ovi10nsc