How to Exclude Acme url from http to https redirect

shwetakawale · September 6, 2022, 5:27am

We have ingressRoute with "redirect to https" middleware, so every request gets redirect to https.

#HTTP redirect ingressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: redirect-to-https
spec:
  entryPoints:
  - web
  routes:   
  - kind: Rule
    match: PathPrefix(`/`)
    middlewares:
    - name: redirect-to-https
    priority: 9998 
    services:
    - kind: TraefikService
      name: api@internal

However this create issue for acme url, as it also gets redirect to https and cerficate not getting issue. Acme url only works with http.
we tried to add another rule in same ingressroute with highest priority without middleware but its not working. Request still froward to https.

#HTTP redirect ingressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: redirect-to-https
spec:
  entryPoints:
  - web
  routes:
    #For certificates issue request 
  - kind: Rule
    match: PathPrefix(`/.well-known/acme-challenge/`)
    priority: 9999 # necessary, if you have further Ingress/IngressRoutes
    services:
    - kind: TraefikService
      name: api@internal
  - kind: Rule
    match: PathPrefix(`/`)
    middlewares:
    - name: redirect-to-https
    priority: 9998 # necessary, if you have further Ingress/IngressRoutes
    services:
    - kind: TraefikService
      name: api@internal

Please suggest how to exclude "/.well-known/acme-challenge/" from https redirect. Other than this url all other should redirect to https.

Osiris · September 6, 2022, 6:15am

Why is that? Usually, it shouldn't matter if the challenge was redirected to HTTPS.

The path you're using in your attempt to not redirect the http-01 challenge is correct and I'm not familiar with IngressRoute to suggest anything else I'm afraid. Perhaps anyone else knows.

shwetakawale · September 6, 2022, 10:32am

As per Challenge Types - Let's Encrypt, http-01 only works with http.
Hence as per my ingressroute "/.well-known/acme-challenge/" this request also gets forward to https and then it does not work.

Osiris · September 6, 2022, 11:02am

The validation server will follow redirects to HTTPS. It's just that the first connection will always be initiated over HTTP (port 80).

This is also stated in the challenge docs you've linked to.

rg305 · September 6, 2022, 5:49pm

Hi @shwetakawale, and welcome to the LE community forum

It seems like you might be better served by asking your question on Traefik support channels.

system · October 7, 2022, 3:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.