Lukas Blog

HTTP Challenge with Cert-Manager and Traefik Ingress

TL;DR

To make the http challenge work with a global https redirect in Traefik, lower the priority of the https redirection router and set a higher priority for the http challenge router.

The Setup

The Kubernetes cluster I'm managing is using cert-manager (v1.15.3) to retrieve certificates and Traefik (v3.1.6) as the ingress controller. Util recently the only configured solver was dns01 since all domains pointing to the cluster were in a self-managed DNS zone.

The Problems

Making the challenge work:
Wanting to use a new domain where controlling the DNS zone via API is not an option, I decided to add an http01 solver to the cert-manager configuration. Initial tests of the challenge failed with a TLS error. I figured this is because of the global http to https redirection in Traefik.

Only using the http01 solver when needed:
Since the dns01 solver worked quite well so far, I only want to use the http01 solver when needed.

The Solution

While there are multiple suggested solutions for making http challenges work with a global https redirect (see https://github.com/cert-manager/cert-manager/issues/2911open in new window), none of them seemed to work. After digging around the Traefik documentation, I found a configuration for router priorities that solved my problem. By setting the priority of the http to https redirection to a lower value than the default MaxInt64, the http challenge router is able to match the request before the redirection.

To only use the http01 solver when needed, add a label matcher to the solver configuration and add that label to the Certificate resource.

Setting the priority of the https redirection router by passing this parameter to Traefik:

--entrypoints.web.http.redirections.entrypoint.priority=1000000

Adding the http01 solver including a higher router priority annotation and a label matcher:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
spec:
  acme:
    # your acme configuration
    solvers:
      - dns01:
          # existing dns01 solver configuration
      - http01:
          ingress:
            ingressClassName: traefik
            ingressTemplate:
              metadata:
                annotations:
                  # set higher priority than the traefik https redirect
                  traefik.ingress.kubernetes.io/router.priority: "20000000"
        # only use the http01 solver when needed
        selector:
          matchLabels:
            "example.org/use-http01-solver": "true"

Resources

Last Updated:
Contributors: Lukas Hass