How to Exclude Acme url from http to https redirect

We have ingressRoute with "redirect to https" middleware, so every request gets redirect to https.

#HTTP redirect ingressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: redirect-to-https
spec:
  entryPoints:
  - web
  routes:   
  - kind: Rule
    match: PathPrefix(`/`)
    middlewares:
    - name: redirect-to-https
    priority: 9998 
    services:
    - kind: TraefikService
      name: api@internal

However this create issue for acme url, as it also gets redirect to https and cerficate not getting issue. Acme url only works with http.
we tried to add another rule in same ingressroute with highest priority without middleware but its not working. Request still froward to https.

#HTTP redirect ingressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: redirect-to-https
spec:
  entryPoints:
  - web
  routes:
    #For certificates issue request 
  - kind: Rule
    match: PathPrefix(`/.well-known/acme-challenge/`)
    priority: 9999 # necessary, if you have further Ingress/IngressRoutes
    services:
    - kind: TraefikService
      name: api@internal
  - kind: Rule
    match: PathPrefix(`/`)
    middlewares:
    - name: redirect-to-https
    priority: 9998 # necessary, if you have further Ingress/IngressRoutes
    services:
    - kind: TraefikService
      name: api@internal

Please suggest how to exclude "/.well-known/acme-challenge/" from https redirect. Other than this url all other should redirect to https.

Why is that? Usually, it shouldn't matter if the challenge was redirected to HTTPS.

The path you're using in your attempt to not redirect the http-01 challenge is correct and I'm not familiar with IngressRoute to suggest anything else I'm afraid. Perhaps anyone else knows.

3 Likes

As per Challenge Types - Let's Encrypt, http-01 only works with http.
Hence as per my ingressroute "/.well-known/acme-challenge/" this request also gets forward to https and then it does not work.

The validation server will follow redirects to HTTPS. It's just that the first connection will always be initiated over HTTP (port 80).

This is also stated in the challenge docs you've linked to.

3 Likes

Hi @shwetakawale, and welcome to the LE community forum :slight_smile:

It seems like you might be better served by asking your question on Traefik support channels.

4 Likes