How does Traefik handle 2 matching TLS certs?

How does Traefik choose between 2 TLS certs that both match the hostname exactly?

I know, your recommendation is going to be that I shouldn't include 2 identically-matching certs, but that's not within my control. We're using Cloudflare edge certificates to handle TLS for all our public domains, so we've installed the long-lived Cloudflare Origin CA certificate in Traefik to encrypt connections between our servers and Cloudflare. Cloudflare recognizes this cert, but no browsers do. It's essentially a self-signed cert from CF.

Then for our private domains that can only be accessed while on our VPN, we have real TLS certs installed. Since we don't control the hostnames that Cloudflare includes in their origin CA cert, there are sometimes overlaps such that now 2 certs match for a given hostname.

When this happens, what's the method Traefik uses to determine which cert to use? First in the list? Random?

Obviously it's not great to occasionally serve up a cert that browsers don't recognize, so it'd be great to know how to avoid this.

1 Like