Traefik v2.2 : default certResolver not used (bug ?)

Hello,

I just tried the new functionality pushed in v2.2 : the ability to add a default certResolver for entrypoints defined in static config.

I have an entrypoint for HTTPS named websecure and I attached to it a certResolver "my-cloudflare" :

entryPoints:
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: my-cloudflare
      middlewares:
        - secureHeader@file

And I've defined the certResolver (with cloudflare environment variables injected properly) :

certificatesResolvers:
  my-cloudflare:
    acme:
      email: xxx@xxx.fr
      storage: /etc/traefik/ssl/acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53

When I define the labels from Docker-Compose, with entrypoint "websecure", I expect Traefik to trigger the DNS challenge (my-cloudflare) for the specified host (here xxx.domain.fr) automatically, but this does not appear to be the case :

services:
  traefik:
    container_name: traefik
    image: traefik:v2.2
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yaml:/etc/traefik/traefik.yaml
      - ./dynamic/:/etc/traefik/dynamic/
      - ./ssl:/etc/traefik/ssl/
    environment:
      CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN}
    networks:
      - traefik
    restart: always
    labels:
      traefik.enable: true
      traefik.http.routers.api.entrypoints: websecure
      traefik.http.routers.api.rule: Host("xxx.domain.fr")
      traefik.http.routers.api.service: api@internal
      traefik.http.routers.api.tls: true

With the above config, Traefik is not generating the SSL certification signed by Let's Encrypt with my-cloudflare, assigned to websecure endpoint.

If I want Traefik to trigger the DNS challenge to generate the certification with my-cloudflare resolver, I need to add the label to my docker-compose container :

 traefik.http.routers.api.tls.certResolver: my-cloudflare

Why ? Traefik isn't supposed to detect that the entrypoint "websecure"' use the certResolver "my-cloudflare", and, that way, automatically generate the DNS challenge ?

Thanks.

Hello,

The certificate resolver define on the HTTP options in the entrypoint works, so I think there is an error in your configuration.

Could you provide your full configuration and logs.


edit:

could you remove traefik.http.routers.api.tls: true

Hello,

I tried and yes, it was that.

The presence of the label redefines the entire tls{} section of the container object. It had to be deleted. (= it override the tls section of the entrypoint).

traefik.http.routers.api.tls: true

Now the definition is :

  traefik:
    container_name: traefik
    image: traefik:v2.2
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yaml:/etc/traefik/traefik.yaml
      - ./dynamic/:/etc/traefik/dynamic/
      - ./ssl:/etc/traefik/ssl/
    environment:
      CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN}
    networks:
      - traefik
    restart: always
    labels:
      traefik.enable: true
      traefik.http.routers.api.entrypoints: websecure
      traefik.http.routers.api.rule: Host("xxx.domain.fr")
      traefik.http.routers.api.service: api@internal

So it works now !
Thanks !