Cloudflare Origin Certificate co-existing with Let's Encrypt

efaden · December 13, 2025, 7:14am

Basically I have traefik setup to both act as a local reverse proxy and an endpoint for cloudflare proxy/tunnels. The way I’m handling this is by setting up two different entry points. One is called https-internal which runs on 443 and should use the Let’s Encrypt certificates. The other is called https-external and runs on 444 and should use the manually specified origin certificates. How on earth do I get the entry point on 444 to use a specific cert-store/certificates…

Relevant section from static config…

  https-internal:
    address: ':443'
    asDefault: true
    forwardedHeaders:
      trustedIPs: *internalIPs
    proxyProtocol:
      trustedIPs: *internalIPs
    http:
      tls:
        certResolver: cloudflare
        domains: &domainList
          - main: 'mydomain.net'

  https-external:
    address: ':444'
    asDefault: false
    forwardedHeaders:
      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
      trustedIPs: *trustedIPs
    proxyProtocol:
      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
      trustedIPs: *trustedIPs
    http3:
      advertisedPort: '443'
    http:
      tls:
        domains: *domainList

Section from dynamic config….

tls:
  certificates:
    - certFile: /origin/origin.pem
      keyFile: /origin/origin.key
      stores:
        - cloudflare-origin

I am basically just trying to use the cert resolver for the https-internal and the cloudflare-origin store for the https-external…

The external just keeps using the Let’s Encrypt. What am I missing here.

bluepuma77 · December 13, 2025, 7:18am

For custom TLS certs, you simply enable TLS on the entrypoint (tls: {}) and make sure to load the certs in a dynamic config file via providers.file in static config. Certs will be matched and applied automatically.

AFAIK Traefik does not support multiple stores, only default, so remove the stores line.

efaden · December 13, 2025, 12:04pm

Removed the store line. Didn't really change anything.

I'm pretty sure they are loaded correctly, but I'm still getting handed let's encrypt certificates. There isn't a way to specifically specify I want this endpoint to use this certificate?

Technically my cert resolver receives a wild card, so both the let's encrypt certificates and the origin are both valid for that domain. So how does it pick then?

bluepuma77 · December 14, 2025, 7:04am

A TLS certificate contains a Common Name (CN) and Subject Alternative Names (SANs).

A HTTPS request contains the Server Name Indication (SNI), which is used to select the correct TLS certificate.

efaden · December 15, 2025, 1:06pm

Right, but technically in my case they are both valid for the same domains…. The origin cert is valid for .mydomain.com but only from cloudflare and the acme cert is valid for *.my domain.com also…. Just from everywhere. So auto selection won't really work.

bluepuma77 · December 15, 2025, 3:45pm

Good point. Try to create an issue or feature request with the devs at Traefik Github.

Topic		Replies	Views
Traefik, cloudflare proxy and splitdns - how to use different certificates on entrypoints? Traefik v3 (latest) file , letsencrypt-acme	7	833	October 1, 2024
Traefik is not using my Cloudflare origin cert but rather Letsencrypt? Traefik v2 docker , letsencrypt-acme	22	11732	November 4, 2022
Traefik is not using the default certificates provided by dynamic config Traefik v3 (latest) docker	3	243	July 28, 2025
Question about TLS Certificates and LE Traefik v2 docker , letsencrypt-acme	2	201	October 1, 2023
Using letsencrypt certificates and custom ones simultaneously Traefik v2 letsencrypt-acme	4	1029	June 10, 2020

Cloudflare Origin Certificate co-existing with Let's Encrypt

Related topics