Setting certresolver on a router breaks http entrypoint

[thespad]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

Consider a docker container with the following labels:

      - traefik.http.routers.web-all.rule=(Host(`example.co.uk`) || Host(`www.example.co.uk`))
      - traefik.http.routers.web-all.entrypoints=https,http
      - traefik.http.routers.web-all.middlewares=middleware-https-redirect

This works as expected and will listen on http and https entrypoints and redirect http connections to https.

What did you see instead?

We add a label:

      - traefik.http.routers.web-all.tls.certresolver=dns

Now the http entrypoint is broken because TLS is enabled for it, and it will no longer redirect connections to http.

Configuring a certresolver on a router should not force a http listener to enable TLS.

What version of Traefik are you using?

Version: 2.10.1
Codename: saintmarcelin
Go version: go1.20.3
Built: 2023-04-27T14:52:35Z
OS/Arch: linux/amd64

What is your environment & configuration?

api:
  dashboard: true

experimental:
  http3: true

entryPoints:
  http:
    address: ":80"
    http:
      middlewares:
        - middleware-crowdsec-bouncer@file

  https:
    address: ":443"
    http3:
      advertisedPort: 443
    http:
      middlewares:
        - middleware-crowdsec-bouncer@file
      tls: {}

providers:
  docker:
    endpoint: "tcp://traefik-dockerproxy:2375"
    exposedByDefault: false
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.co.uk`)"
    network: proxy
  file:
    directory: "/configs"
    watch: true

certificatesResolvers:
  dns:
    acme:
      email: cert@example.co.uk
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

serversTransport:
  insecureSkipVerify: false

accessLog:
  fields:
    headers:
      defaultMode: keep

log:
  filePath: "/logs/traefik.log"
  level: INFO

Add more configuration information here.

    middleware-crowdsec-bouncer:
      forwardauth:
        address: http://traefik-crowdsec-bouncer:8080/api/v1/forwardAuth
        trustForwardHeader: true

      - traefik.http.middlewares.middleware-https-redirect.redirectscheme.scheme=https

If applicable, please paste the log output in DEBUG level

No response

[ldez]

Hello,

"http" or "https" endpoint names don't have real meaning: you can use every port to handle TLS.

entrypoint.websecure.http.tls (inside the static configuration) and the label traefik.http.routers.app.entrypoints=A,B implies that we will create 2 routers: one based on the A entrypoint "entrypoint.A.http" configuration and one based on the B entrypoint "entrypoint.B.http" configuration.

So in your context, you will have a router with TLS and a router without TLS.

But when you add the traefik.http.routers.app.tls.certresolver=dns you are applying this on all the routers, so TLS is applied on the 2 generated routers.

You have to either set the resolver on the entrpypoint.A.http.tls section of your static configuration or create 2 routers (one on A and one on B)

For help on your configuration, please join our Community Forum and reach out to us on the Traefik v2 section.