How to add my own certificates to traefik using cli?

Given below are the commands relevant to tls/certificates that i pass to traefik in my docker compose file

- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certresolver=cloudflare
- --entrypoints.websecure.http.tls.domains[0].main=xd003.site
- --entrypoints.websecure.http.tls.domains[0].sans=*.example.com,*.adguard.example.com
- --certificatesresolvers.cloudflare.acme.email=myemail
- --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.cloudflare.acme.dnschallenge=true
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53

I now need to stop traefik from generating its own certificate and pass my own certificate which i have generated through certbot. Accordingly, i checked the user defined tls section here - Traefik TLS Documentation | Traefik | v3.0 , but i dont' see any cli option here ?

  1. Can someone please help me with the the cli command for the user defined tls referred above
  2. Lastly, which lines would i need to remove from the existing cli arguments i use.i think except the first 2 lines, i should remove everything else but just wanna confirm

It’s simple: you can not.

For own custom certs, you need to use providers.file (or another provider) and load the dynamic TLS config (doc).

UPDATE: But at least you can place the certs inline, if you only want 1 additional file to manage (example).

thanks for the confirmation and regarding the second question, should i remove all these lines from traefik -> command: except the first 2 ?

If you want to use your own certs, then you only need the provider to load dynamic TLS config and

to globally declare the use of TLS on that entrypoint/port.

Don’t forget to (manually) renew the certs!

1 Like

iirc certbot sets up automatic renewal by default these days, lemme confirm once, oh yes certainly it does

ubuntu@xd003:/etc/systemd/system$ ls | grep certbot
snap-certbot-3026.mount
snap-certbot\x2ddns\x2dcloudflare-2641.mount
snap.certbot.renew.service
snap.certbot.renew.timer
ubuntu@xd003:/etc/systemd/system$

It felt a weird idea to have a separate yml/toml just for 2 lines of config. So i added the following to the command: block of Traefik in my docker compose

- sh -c "mkdir -p /config && wget "https://gist.githubusercontent.com/xd003/dc5c6947bb5331834fbc07f2d97c8103/raw/f6a785cb0612a7917cc1a4c8659ff6f1a841b044/config.toml" -P /config"
- --providers.file.filename=/config/config.toml

That github gist link contains the following

[[tls.certificates]]
  certFile = "/etc/letsencrypt/live/xd003.site/fullchain.pem"
  keyFile = "/etc/letsencrypt/live/xd003.site/privkey.pem"

I am trying to enter shell command to create the directory /config and wget config.toml from github gists inside that folder then use providers.file to have traefik read that dynamic config
But the sh command doesn't seem to have worked at all, any clue what might be going wrong here ?

If it’s static, you could just use
echo "content" > /path/file.

If it’s dynamic, you could have a tiny script to add all cert files dynamically to the config file, as I have tried before:

  FILE=$WEBROOT/traefik-certbot.yml
  printf "tls:\n  options:\n    default:\n      minVersion: VersionTLS12\n  certificates:\n" > $FILE
  for NAME in $(find /etc/letsencrypt/live/ -maxdepth 1 -mindepth 1 -type d -print) ; do
    printf "TRAEFIK TLS FILE ADD $NAME\n"
    printf "    # CERT FILE $NAME\n" >> $FILE
    printf "    - certFile: |-\n" >> $FILE
    sed -e 's/^/        /' $NAME/fullchain.pem >> $FILE
    printf "      keyFile: |-\n" >> $FILE
    sed -e 's/^/        /' $NAME/privkey.pem >> $FILE
  done
cat <<EOT >> /config.toml
[[tls.certificates]]
  certFile = "/etc/letsencrypt/live/example.site/fullchain.pem"
  keyFile = "/etc/letsencrypt/live/example.site/privkey.pem"
EOT

I just need to execute this shell command inside traefik container but its not getting accepted along with the existing parameters because ig those parameters are passed to the entrypoint. i can't really pass a shell command here. Normally such commands can be easily passed through sh -c but don't seem possible in combination with traefik cli arguments

Did you ever check my other post? It's running a full script inside docker-compose.

Of course if you overwrite entrypoint and command, you need to manually start Traefik at the end. According to the Dockerfile, its just /traefik.

You also use CLI for --providers.file, but I don't see any entrypoint declaration. You can not mix static config in traefik.yml and CLI parameters, Traefik will only use one source. Please check again the simple Traefik example.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.