I have 2 certificates for the same domain example.com , one is self signed and the other cloudflare
here are the configs, please check and help me find out what am doing wrong please
traefik.yaml
services:
traefik:
image: "traefik:v3.2"
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
deploy:
replicas: 2
placement:
constraints:
- node.labels.node != server-a
update_config:
parallelism: 1
delay: 1s
order: stop-first
labels:
traefik.enable: "true"
traefik.http.routers.traefik-https.service: api@internal
traefik.http.services.traefik.loadbalancer.server.port: "8080"
traefik.http.routers.traefik-http.entrypoints: http
traefik.http.routers.traefik-http.rule: Host(`router.example.com`)
traefik.http.routers.traefik-https.entrypoints: https
traefik.http.routers.traefik-https.rule: Host(`router.example.com`)
traefik.http.routers.traefik-https.tls: "true"
traefik.http.routers.traefik-https.tls.certresolver: "default"
traefik.http.routers.traefik-http.middlewares: traefik-http-redirect
traefik.http.middlewares.traefik-http-redirect.redirectscheme.scheme: https
traefik.http.middlewares.traefik-http-redirect.redirectscheme.permanent: 'true'
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/store/traefik/conf/dynamic.yaml:/etc/traefik/dynamic.yaml:ro"
- "/store/traefik/certs:/etc/certs:ro"
env_file:
- .env.traefik
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.swarm=true"
- "--providers.swarm.endpoint=unix:///var/run/docker.sock"
- "--providers.swarm.exposedbydefault=false"
- "--providers.file.filename=/etc/traefik/dynamic.yaml"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--entrypoints.http.transport.respondingTimeouts.readTimeout=10m"
- "--entrypoints.https.transport.respondingTimeouts.readTimeout=10m"
networks:
- secret
networks:
secret:
external: true
dynamic.yaml
tls:
certificates:
- certFile: "/etc/certs/self-cert.pem"
keyFile: "/etc/certs/self-key.pem"
stores:
- default
- certFile: "/etc/certs/cloudflare-cert.pem"
keyFile: "/etc/certs/cloudflare-key.pem"
stores:
- cloudflare
stores:
default:
defaultCertificate:
certFile: "/etc/certs/self-cert.pem"
keyFile: "/etc/certs/self-key.pem"
app-1.yaml
services:
app-1:
image: "app/app-1:latest"
networks:
- secret
env_file:
- .env.app-1
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.node != server-a
update_config:
parallelism: 1
order: start-first
monitor: 5s
labels:
traefik.enable: "true"
traefik.docker.network: secret
traefik.http.services.app-1.loadbalancer.server.port: "8080"
traefik.http.routers.app-1-http.entrypoints: http
traefik.http.routers.app-1-http.rule: Host(`app-1.example.com`)
traefik.http.routers.app-1-https.entrypoints: https
traefik.http.routers.app-1-https.rule: Host(`app-1.example.com`)
traefik.http.routers.app-1-https.tls: "true"
traefik.http.routers.app-1-https.tls.certresolver: "cloudflare"
networks:
secret:
external: true
app-2.yaml
services:
app-2:
image: "app/app-2:latest"
networks:
- secret
env_file:
- .env.app-2
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.node != server-a
update_config:
parallelism: 1
order: start-first
monitor: 5s
labels:
traefik.enable: "true"
traefik.docker.network: secret
traefik.http.services.app-2.loadbalancer.server.port: "8080"
traefik.http.routers.app-2-http.entrypoints: http
traefik.http.routers.app-2-http.rule: Host(`app-2.example.com`)
traefik.http.routers.app-2-https.entrypoints: https
traefik.http.routers.app-2-https.rule: Host(`app-2.example.com`)
traefik.http.routers.app-2-https.tls: "true"
traefik.http.routers.app-2-https.tls.certresolver: "default"
networks:
secret:
external: true
is it supported? because am still having this issue
when i have Flexible everything works but when i have full strict then all hell breaks loose
i have the cloudflare certs files so why do i need to go through hell? why setting or config so i need for this to work???
when "Flexible" is enabled
$ curl -ILv https://app-1.example.com
* Host app-1.example.com:443 was resolved.
* IPv6: 2001:db8::1, 2001:db8::2, 2001:db8::3, 2001:db8::4, 2001:db8::5, 2001:db8::6, 2001:db8::7
* IPv4: 203.0.113.1, 203.0.113.2, 203.0.113.3, 203.0.113.4, 203.0.113.5, 203.0.113.6, 203.0.113.7
* Trying [2001:db8::1]:443...
* Connected to app-1.example.com (2001:db8::1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=example.com
* start date: Jun 27 01:11:42 2025 GMT
* expire date: Sep 25 02:09:54 2025 GMT
* subjectAltName: host "app-1.example.com" matched cert's "*.example.com"
* issuer: C=US; O=Google Trust Services; CN=WE1
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://app-1.example.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: app-1.example.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: app-1.example.com
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/2 200
HTTP/2 200
< date: Sat, 12 Jul 2025 04:02:33 GMT
< content-type: text/html
< nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
< etag: W/"67db6ebe-1d3"
< last-modified: Thu, 20 Mar 2025 01:26:22 GMT
< server: cloudflare
< vary: Accept-Encoding
< cf-cache-status: DYNAMIC
< report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=FAKE_REPORT_PAYLOAD"}]}
< cf-ray: AAAABBBBCCCCDDDD-DFW
< alt-svc: h3=":443"; ma=86400
<
* Connection #0 to host app-1.example.com left intact
when "Full Strict" is enabled
$ curl -ILv https://app-1.example.com
* Host app-1.example.com:443 was resolved.
* IPv6: 2001:db8::1, 2001:db8::2, 2001:db8::3, 2001:db8::4, 2001:db8::5, 2001:db8::6, 2001:db8::7
* IPv4: 203.0.113.1, 203.0.113.2, 203.0.113.3, 203.0.113.4, 203.0.113.5, 203.0.113.6, 203.0.113.7
* Trying [2001:db8::1]:443...
* Connected to app-1.example.com (2001:db8::1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=example.com
* start date: Jun 27 01:11:42 2025 GMT
* expire date: Sep 25 02:09:54 2025 GMT
* subjectAltName: host "app-1.example.com" matched cert's "*.example.com"
* issuer: C=US; O=Google Trust Services; CN=WE1
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://app-1.example.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: app-1.example.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: app-1.example.com
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/2 526
HTTP/2 526
< date: Sat, 12 Jul 2025 04:04:44 GMT
< content-type: text/plain; charset=UTF-8
< content-length: 15
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< referrer-policy: same-origin
< x-frame-options: SAMEORIGIN
< server: cloudflare
< cf-ray: EEEEFFFFGGGGHHHH-DFW
<
* Connection #0 to host app-1.example.com left intact
as soon as i have full strict enabled i get Invalid SSL certificate
