Running Traefik behind a reverse proxy: specify the DNS name presented by the self-signed TRAEFIK DEFAULT CERT


Is it possible to specify the DNS name that is used by Traefik to generate the "TRAEFIK DEFAULT CERT"?

For the time being, requests return a 502 error and I have this log in the "front" reverse proxy, (The reverse proxy is configured to accept self-signed certificates):

[ERROR 502 /] x509: certificate is valid for 35b60bb5bff2aede784119b0700f0c60.8cee7ff2734e6ab8353523c6a6cfeba4.traefik.default, not <my-public-FQDN>

More details

I am trying to setup a docker-compose environment with a few services and a Traefik v2 reverse proxy behind another reverse proxy (namely Caddy in my case).

The connection must be over TLS from end to end (that is from end-user to the service). So:

  • between end-user and the front Caddy reverse proxy, I use Let's encrypt
  • between Traefik and the service a self-signed cert generated by the service and corresponding --serverstransport.insecureskipverify=true flag

But I cannot configure the connection over TLS between the Caddy front reverse proxy and Traefik.

I have tried various options to force the domain name that is used by the default certificate manager from Traefik but without success until now, for instance:

adding this option does not work:


Here is the Traefik part of my docker compose file

version: '3.7'

        image: traefik:2.3
        ports: ["443:443"]
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - --providers.docker
            - --entrypoints.websecure.address=:443
            - --serverstransport.insecureskipverify=true
            - --api
            # Expose the traefik dashboard on the reserved sub path.
            - traefik.http.routers.reverse.service=api@internal
            - traefik.http.routers.reverse.rule=Host(`${PUBLIC_FQDN}`)&&(PathPrefix(`/api`)||PathPrefix(`/dashboard`))
            - traefik.http.routers.reverse.entrypoints=websecure
            - traefik.http.routers.reverse.tls=true

Thanks in advance for any hint!

PS: There was no fitting tag for this subject in the list, so do not hesitate let me know if you think this question belongs to another tag.

I think you will have to do something anyway in the first proxy since whatever name is used in the certificate by Traefik it will never be valid if it's self-signed...

I'm also new to Traefik but I believe I saw an option where you can give Traefik a custom certificate that it would use as the default. Maybe that's the way to go for you.

Yes, exactly that is the path I have chosen after a few tries:

I use mkcert to externally generate self-signed certificates with correct names that I then provide to both traefik and my service. And, in the end, it is closer to "real life" situations where certificates are managed externally in a serious PKI.