Specify a certificate to use through docker labels (Cloudflare origin certs)

Hi all,
I'm new to traefik, coming from nginx proxy manager (NPM) so I'm sure a similar question has been asked before but I am unable to find a simple answer.

Cloudflare offers "origin server certificates" for the purpose of encrypting traffic between Cloudflare and your origin server. One is generated per domain. In my setup, public SSL is applied through Cloudflare and its proxy

in NPM it was simple to upload each origin certificate and select them for each host you added.
is there a similar way to do this in Traefik?

i have managed to add all the origin certificates into traffic through a file in the dynamic configuration:

# Dynamic configuration
# in configuration/certificates.yaml
    # first certificate
    - certFile: /path/to/example-com.cert
      keyFile: /path/to/example-com.key

    # second certificate
    - certFile: /path/to/other.cert
      keyFile: /path/to/other.key

# and so on

As far as I understand, trafik will automatically select the required cert but as is not a 'true certificate for lack of better words (it's only recognized by Cloudflare) I don't think this works.

what I am looking for is a way to apply a label to each container to tell Traefik which cert to use (or let's encrypt in some cases). In the same way you would use traefik.http.routers.my-app.rule=Host(example.com)

could tls stores be used to do this?

thanks for any suggestions

You need to load the dynamic config with provider.file in static config, then enable TLS on the router (like label …tls=true).

If the cert does not include the domain name, then you need to load it as the default cert. (doc)

Let us know if that worked, just theory on my side.

that is the general idea across the forums.
the problem is, I have multiple domains, all with this problem.
As I can set more than one default certificate (obviously), I need to be able to tell traefik which one to use. (the same way you would specify a certificate resolver.)

Did you try to dump a CF cert to see what’s inside? Use something like this:

 openssl x509 -in certificate.pem -text

I found this post on google when trying to find a solution to the same issue (origin cert from CF). I didn’t find the solution I was looking for but I found this forum post by Traefik which helped.

Basically, each origin cert is read in sequential order and the first one that matches the domain being requested is used so you probably don’t want 2 certificates covering the same domain since only the first one will be used.

That is my understanding from the blog post. If you or anyone else came up with a different understanding please post!

1 Like