Using Traefik with TLS (acme plugin) on non HTTP port for HTTP traffic

Question

Unlike the question "Traefik and Let's Encrypt on non default http port 80?", I'm running Traefik (> 1.7) on the default http ports.

I want to configure an additional entrypoint for HTTP traffic of one service on 8448. So I've added this entrypoint to my traefik.toml:

defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
  [entryPoints.synapse]
  address = ":8448"
    [entryPoints.synapse.tls]

[api]

[acme]
email = "webmaster@example.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
  [acme.httpChallenge]
  entryPoint = "http"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.com"
watch = true
exposedByDefault = false

My docker service is using this port via labels like:

labels:
  - traefik.enable=true
  - traefik.clients.frontend.rule=Host:matrix.example.com
  - traefik.clients.port=8008
  - traefik.clients.docker.network=proxy
  - traefik.federation.frontend.rule=Host:matrix.example.com
  - traefik.federation.port=8448
  - traefik.federation.docker.network=proxy
  - traefik.federation.frontend.entryPoints=synapse

Unfortunately Traefik does not expose this port at all, even though my docker container does do that. The logs don't show any error, but it's shown that the entry point is set up by Traefik.

Does anybody has an idea, what I'm doing wrong?

The setup works for other entry points as expected.

Answer 1

Let's Encrypt required the port 443 for the TLS challenge, it's a Let's Encrypt constraint (or port 80 for the HTTP challenge).

https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72

Alternatively you can use the DNS Challenge.