Disable redirecting requests to "/.well-known/acme-challenge” to HTTPS?

victor-sudakov · March 18, 2026, 6:10am

Hello Colleagues,

My issue:

I have configured:

An nginx–ingress controller with the “nginx-ingress” ingressclass
A ClusterIssuer with an http01 solver with the “nginx-ingress” ingressclass
A VirtualServer with “spec.tls.redirect.enable: true” using the “nginx-ingress” ingressclass.

It seems that the redirect on the VirtualServer level prevents Lets Encrypt’s challenge to reach the virtual server’s “/.well-known/acme-challenge” endpoint because the TLS certificate does not yet exist at the moment (after the VirtualServer has been just created). So the certificate request process is stuck forever.

Solutions I’ve tried:

I have tried changing “spec.tls.redirect.enable” to false temporarily and after that the ClusterIssuer was able to get a certificate, and I changed the value back to true. However this variant is not suitable for production and will probably break if the certificate expires.

What I am looking for:

I would like to find a standard solution for all my virtualservers, or better on the controller level, so that the requests to “/.well-known/acme-challenge” were not redirected (if I have correctly identified the root cause of course).

Using the dns solver is out of the question currently, sorry.

Version of NIC and/or NGINX:

nginx-stable/nginx-ingress chart v2.4.4

Deployment environment:

K3s cluster, the nginx-ingress controller is using host networking.

victor-sudakov · March 21, 2026, 2:25am

This may be related [Bug]: Cert manager integration for VirtualServers when using HTTP01 challenges and Redirect not working · Issue #8469 · nginx/kubernetes-ingress · GitHub but does not seem to offer any solution.

hshannon · March 23, 2026, 4:50pm

Thanks for bringing this up. The GitHub issue is already on our roadmap. Please follow the issue for more future updates.

victor-sudakov · March 23, 2026, 4:59pm

Hi, so how do people work around this problem now?

Daniel_Edgar · March 24, 2026, 8:09am

Hi @victor-sudakov - my workaround was to temporarily disable the TLS until ACME could perform the validation, then re-enable it. However, I think this may break certificate updates when they happen.

There seems may be a snippet-based workaround here, but I have not personally tried it.

victor-sudakov · March 24, 2026, 9:42am

Daniel, thanks for your response. Disabling TLS is what I have done as well, but this approach does not scale especially if your virtual servers come and go.

The snippet workaround… Well, it is just ugly And I usually disable snippets when installing an ingress controller.

Topic		Replies	Views
Ingress NGINX Controller to NGINX Ingress Controller translation help NGINX Ingress Controller ssl , reverse-proxy , networking	10	105	February 28, 2026
Migrate from ingress-nginx/oauth2-proxy to NGINX Ingress Controller/oauth2-proxy NGINX Ingress Controller config , reverse-proxy , sso	9	464	December 3, 2025
HTTP-01 Challenge Failing (404) on Internal GKE Gateway NGINX Gateway Fabric ssl	4	35	March 30, 2026
Uncertain non-www https redirect is right NGINX https , certbot , redirect	6	173	July 3, 2025
301 Redirect fails when using HTTPS DNS record NGINX web-server , aws , https , redirect , dns	11	155	July 4, 2025

Disable redirecting requests to "/.well-known/acme-challenge” to HTTPS?

Related topics