How does Traefik refresh an expired tailscale cert?

snazzybunny · June 12, 2025, 5:59pm

Hello,

In the Traefik docs, it says for automatic renewals that "Traefik automatically tracks the expiry date of each Tailscale certificate it fetches, and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy."

How does this work exactly? Will Traefik run some sort of internal cronjob that checks the expiration and updates the certs when needed? Does it update the cert when you access the domain? So if nobody accesses the domain, it may never update the certificate? I'm asking because there is not much information about it. Thanks.

bluepuma77 · June 12, 2025, 6:58pm

My understanding from the doc is, that Traefik will connect to tailscale server (similar to other certResolvers like LetsEncrypt) to fetch a xx.yy.ts.net domain TLS cert for the router rule used domain.

Traefik fetches the cert, it has its data, it serves the cert for matching requests, and will automatically renew it. Not sure if this is checked internally every minute, hour or day. But you don’t need to access the service for it to work.

Topic		Replies	Views
No auto cert renewal Traefik v3 (latest) letsencrypt-acme	4	90	January 18, 2025
Will traefik renew custom certificates? Traefik v2 letsencrypt-acme	1	725	September 26, 2020
Let's Encrypt renewal is a few days late Traefik v3 (latest) letsencrypt-acme	2	66	September 16, 2024
How to Force-update Let's Encrypt Certificates Blog	9	3330	December 11, 2023
Traefik with letsencrypt not renewing the cert Traefik v2 docker , letsencrypt-acme	5	3748	August 29, 2023

How does Traefik refresh an expired tailscale cert?

Related topics