This line-by-line approach of copy-paste is also what I used in the past. That's how I found that one time the "entrypoint" specification was causing the entire thing to break down. So your principle works. It's just that the logs should be more explanatory (especially in DEBUG mode).
For sure not every home user can afford an enterprise subscription eh ?
Unfortunately your simple example does NOT work with the latest traefik. Try it out for yourself.
It's a good example and I appreciate your sharing of examples, information, replying to posts etc.
I tried replacing the permanent redirect I had with the "asDefault" you have in your example: the "asDefault" gives a config error and traefik container crashes.
As soon as "asDefault" is removed then it starts working again. I guess it was removed at some point in some version of traefik.
So now I removed both the "asDefault" and my "permanent" redirect. Still TLSChallenge fails.
I tried removing (backing up first) the acme.json file and trying again. The error continues to occur unfortunately.
Anyway, this seems related to Https redirection without breaking letsencrypt http challenge - #3 by badsyntax
So I must keep the HTTPChallenge otherwise things don't work (with other subdomain names the same problem occurs). And to do that requires disabling ALL HTTP -> HTTPS redirects, otherwise the challenge itself fails.
I just wish that, like @badsyntax mentions in his post, there was a way to exclude the /.well-known/acme-challenge/ from redirects (Feature request: support for an 'exclude' option on redirection (a.k.a negated regex) · Issue #1373 · traefik/traefik · GitHub). But so far that is not implemented.
Actually that should be a BUG: there should be some logic within traefik that, if REDIRECTS are enabled and HTTPChallenge is also ENABLED, an exception for /.well-known/acme-challenge/ is created so that it does NOT redirect to HTTPs.
So the only way to have both LetsEncrypt Certificates working and Redirects seems to be to define Redirect Rules in each container compose.yml file which is pretty stupid, when all I'd like is "Redirect everything to https EXCEPT /.well-known/acme-challenge/). Or maybe only enabling the websecure / https entrypoint in those containers (although that previously caused also traefik to crash on me).
Or having to "bootstrap" like I explained in my first post for each container / subdomain, not only the traefik server itself.
Granted there are "hacks" like I already do in my internal network (using dnsChallenge with certbot and cloudflare API), so I could most likely use a certbot container to generate the certs, and then load them manually into traefik by some BASH script or the likes of it.
But all of these would be "hacks" and not really a nice solution.
You can argue that it's "just my problem" (although I would argue that is not a constructive approach), but it should work "out of the box". Clearly it doesn't.
The same could be said for podman. Since this is a community forum for users helping other users, I also shared (in another post) how to make traefik work by automatically restarting it whenever a new container is spun up in podman. Maybe this works out of the box in Docker, but it clearly didn't in Podman. I proposed a fix and shared it with the community and moved on.
Just stating that "podman is not supported" is not really helpful. While it may be true, I don't think every user wants to change their entire codebase and infrastructure just because of one line/feature that doesn't work as such. Podman is gaining popularity every day. Why only Docker should be supported is beyond me. All other containers I have run fine with Podman ...