I have my traefik.yml set up to use cloudflare as the certresolver. I also have it set up as a "certificatesResolvers" with dnsChallenge. The ACME storage file is being updated periodically, so I assume this means Traefik is renewing the certificate. When I decode the certificate in that file it is from Let's Encrypt.
I noticed that CloudFlare appears to manage and automatically renew an edge certificate for my domain on it's own. It uses Google Trust Services and when I go to one of my web sites, I can see the certificate is from Google Trust Services (it appears Cloudflare switched to that in September 2024), so that's the certificate being used, not the one from my Traefik ACME storage file.
If Cloudflare is renewing a SSL/TSL certificate on its own, what is the point of Traefik renewing and installing its own certificate? Is it just so Cloudflare can make a secure connection to my server? If that's the case having it signed with my domain doesn't make a lot of sense.
Cloudflare provides free certificates for that purpose called Origin Certificates which are only good for encryption between Cloudflare and the server, so it seems like I should use that and not have Traefik renew a Let's Encrypt certificate that's never returned to anyone besides Cloudflare.
Does this make sense or am I missing something?
Edit: I created an Origin Certificate which is good for 15 years and installed it in traefik and it works, so I'm not sure why I would use ACME at this point.