Unable to obtain ACME certificate for domains

Hello! I am having a difficult time trying to get Traefik configured appropriately to request certs from LetsEncrypt. I am using Traefik v2 on Kubernetes. The logs I am seeing from the Traefik pod are:

"Unable to obtain ACME certificate for domains \"docs.cstevens.io\": unable to generate a certificate for the domains [docs.cstevens.io]: error: one or more domains had a problem:\n[docs.cstevens.io] acme: error: 400 :: urn:ietf:params:acme:error:connection :: During secondary validation: Fetching http://docs.cstevens.io/.well-known/acme-challenge/hkuZm64VsysFbYV6Vnzh9iN2xsKjymMmgamJ66EOIS4: Connection refused, url: \n" providerName=default.acme routerName=docs-cstevens-io-docs-cstevens-io-cf63e1a54417f82a35e9@kubernetescrd rule="Host(`docs.cstevens.io`)"

Which is weird because, clearly, both http:// and https://docs.cstevens.io are responding just fine.

The pod config is pretty basic:

        - --global.checknewversion
        - --global.sendanonymoususage
        - --entryPoints.traefik.address=:9000/tcp
        - --entryPoints.web.address=:8000/tcp
        - --entryPoints.websecure.address=:8443/tcp
        - --certificatesresolvers.default.acme.httpChallenge.entryPoint=web
        - --certificatesresolvers.default.acme.email=me@mydomain.com
        - --certificatesresolvers.default.acme.storage=/data/acme.json
        - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
        - --api.dashboard=true
        - --ping=true
        - --providers.kubernetescrd
        - --providers.kubernetesingress

Ingressroutes are also pretty basic:

Spec:
  Entry Points:
    websecure
  Routes:
    Kind:   Rule
    Match:  Host(`docs.cstevens.io`)
    Services:
      Name:  docs-cstevens-io
      Port:  80
  Tls:
    Cert Resolver:  default

and

Spec:
  Entry Points:
    web
  Routes:
    Kind:   Rule
    Match:  Host(`docs.cstevens.io`)
    Services:
      Name:  docs-cstevens-io
      Port:  80

I've googled around and some people have had this issue when they were publishing v6 records, but that's not happening in my case. I've also tried switching between httpchallenge and tlschallenge, with no change in results. On the traefik docs site, I see something about port forwarding before adding ingress routes (https://docs.traefik.io/v2.0/user-guides/crd-acme/) but I'm not sure how that would work, since without the ingressroutes how would traefik know what domains to request certificates for?

Thanks for taking the time to read this.