HTTP Challenge with Cert-Manager and Traefik Ingress
TL;DR
To make the http challenge work with a global https redirect in Traefik, lower the priority of the https redirection router and set a higher priority for the http challenge router.
The Setup
The Kubernetes cluster I'm managing is using cert-manager (v1.15.3) to retrieve certificates and Traefik (v3.1.6) as the ingress controller. Util recently the only configured solver was dns01
since all domains pointing to the cluster were in a self-managed DNS zone.
The Problems
Making the challenge work:
Wanting to use a new domain where controlling the DNS zone via API is not an option, I decided to add an http01
solver to the cert-manager configuration. Initial tests of the challenge failed with a TLS error. I figured this is because of the global http to https redirection in Traefik.
Only using the http01
solver when needed:
Since the dns01
solver worked quite well so far, I only want to use the http01
solver when needed.
The Solution
While there are multiple suggested solutions for making http challenges work with a global https redirect (see https://github.com/cert-manager/cert-manager/issues/2911), none of them seemed to work. After digging around the Traefik documentation, I found a configuration for router priorities that solved my problem. By setting the priority of the http to https redirection to a lower value than the default MaxInt64
, the http challenge router is able to match the request before the redirection.
To only use the http01
solver when needed, add a label matcher to the solver configuration and add that label to the Certificate
resource.
Setting the priority of the https redirection router by passing this parameter to Traefik:
--entrypoints.web.http.redirections.entrypoint.priority=1000000
Adding the http01 solver including a higher router priority annotation and a label matcher:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
spec:
acme:
# your acme configuration
solvers:
- dns01:
# existing dns01 solver configuration
- http01:
ingress:
ingressClassName: traefik
ingressTemplate:
metadata:
annotations:
# set higher priority than the traefik https redirect
traefik.ingress.kubernetes.io/router.priority: "20000000"
# only use the http01 solver when needed
selector:
matchLabels:
"example.org/use-http01-solver": "true"