README.md

I have created an easier, well documented version of this in my blog at https://blog.wyraz.de/linux/deploying-rancher-server-standalone-behind-traefik-with-lets-encrypt-for-both/

traefik-acme-passthrough.toml

# This is an example how to pass acme challenges to a backend of a particular domain while
# all other acme challenges are solved by traefik
# Tested with traefik 1.7.7

# How it works:
# - an entry point listens at 81 which is used for traefik's acme. This port is not exposed
# - a default rule for /.well-known/acme-challenge/ is added for the http entry point. It has a priority of 1000
#   and forwards acme requests to localhost:81 where traefik accepts acme challenges
# - for a particular domain, a rule with higher priority is added, so this domain's acme challenges are not sent to
#   traefik

# Note: to make traefik issue certs automatically (via onHostRule), it is necessary that the rule is bound to the "acme"
#       entrypoint (see https://github.com/containous/traefik/issues/3918)

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.acme]
  address = ":81"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[acme]

email = "test@traefik.io"
storage = "acme.json"
entryPoint = "https"

[acme.httpChallenge]
  entryPoint = "acme"

[file]

[backends]

  [backends.acme]

    [backends.acme.servers]
      [backends.acme.servers.server0]
        url = "http://127.0.0.1:81/"

  [backends.backend1]

    [backends.backend1.servers]
      [backends.backend1.servers.server0]
        url = "https://ifconfig.io/"


[frontends]

  [frontends.acme]
    entryPoints = ["http"]
    backend = "acme"
    passHostHeader = true
    priority = 1000

    [frontends.acme.routes]
      [frontends.acme.routes.route0]
        rule = "PathPrefix:/.well-known/acme-challenge/"

  [frontends.frontend1]
    entryPoints = ["http"]
    backend = "backend1"
    passHostHeader = false
    priority = 1001

    [frontends.frontend1.routes]
      [frontends.frontend1.routes.route0]
        rule = "Host:127.0.0.1.xip.io"
        priority = 1001

It works similar with traefik 2:

1st enable an extra entry point for acme (e.g. via CLI) and route config from a file (/etc/traefik/dynamic_conf.yml):

    command: |
      --log.level=INFO
      --api.dashboard=true
      --providers.docker=true
      --providers.docker.exposedbydefault=false
      --entrypoints.http.address=:80
      --entrypoints.acme.address=:81
      --entrypoints.https.address=:443
      --certificatesresolvers.default.acme.httpchallenge=true
      --certificatesresolvers.default.acme.httpchallenge.entrypoint=acme
      --certificatesresolvers.default.acme.email=letsencrypt@mydomain.com
      --certificatesresolvers.default.acme.storage=/data/acme.json
      --providers.file.filename=/etc/traefik/dynamic_conf.yml
      --providers.file.watch=true

In the config, add a default route for acme challenges with a priority of 1000:

http:
  services:
    acme:
      loadBalancer:
        servers:
          - url: http://127.0.0.1:81/
  routers:
    acme:
      entryPoints:
        - http
      rule: PathPrefix(`/.well-known/acme-challenge/`)
      priority: 1000
      service: acme

Now for every service that needs to solve acme itself, setup a http router with a priority >1000. Docker example:

    labels:
      traefik.enable: "true"
      traefik.http.routers.rancher-http.rule: Host(`mydomain.com`)
      traefik.http.routers.rancher-http.entryPoints: http
      traefik.http.routers.rancher-http.priority: 1001

👍 Great solution!