Specify a certificate to use through docker labels (Cloudflare origin certs)

tobywhiting10 · July 15, 2023, 4:38pm

Hi all,
I'm new to traefik, coming from nginx proxy manager (NPM) so I'm sure a similar question has been asked before but I am unable to find a simple answer.

Cloudflare offers "origin server certificates" for the purpose of encrypting traffic between Cloudflare and your origin server. One is generated per domain. In my setup, public SSL is applied through Cloudflare and its proxy

in NPM it was simple to upload each origin certificate and select them for each host you added.
is there a similar way to do this in Traefik?

i have managed to add all the origin certificates into traffic through a file in the dynamic configuration:

# Dynamic configuration
# in configuration/certificates.yaml
tls:
  certificates:
    # first certificate
    - certFile: /path/to/example-com.cert
      keyFile: /path/to/example-com.key

    # second certificate
    - certFile: /path/to/other.cert
      keyFile: /path/to/other.key

# and so on

As far as I understand, trafik will automatically select the required cert but as is not a 'true certificate for lack of better words (it's only recognized by Cloudflare) I don't think this works.

what I am looking for is a way to apply a label to each container to tell Traefik which cert to use (or let's encrypt in some cases). In the same way you would use traefik.http.routers.my-app.rule=Host(example.com)

could tls stores be used to do this?

thanks for any suggestions

bluepuma77 · July 15, 2023, 5:58pm

You need to load the dynamic config with provider.file in static config, then enable TLS on the router (like label …tls=true).

If the cert does not include the domain name, then you need to load it as the default cert. (doc)

Let us know if that worked, just theory on my side.

tobywhiting10 · July 15, 2023, 6:23pm

that is the general idea across the forums.
the problem is, I have multiple domains, all with this problem.
As I can set more than one default certificate (obviously), I need to be able to tell traefik which one to use. (the same way you would specify a certificate resolver.)

bluepuma77 · July 15, 2023, 7:37pm

Did you try to dump a CF cert to see what’s inside? Use something like this:

 openssl x509 -in certificate.pem -text

sbouillon · September 26, 2023, 5:30pm

I found this post on google when trying to find a solution to the same issue (origin cert from CF). I didn’t find the solution I was looking for but I found this forum post by Traefik which helped.

Basically, each origin cert is read in sequential order and the first one that matches the domain being requested is used so you probably don’t want 2 certificates covering the same domain since only the first one will be used.

That is my understanding from the blog post. If you or anyone else came up with a different understanding please post!

Topic		Replies	Views
Setting up Traefik with Cloudflare and Origin Certificates Traefik v3 (latest) docker	1	1110	October 11, 2024
Multiple domains Let's encrypt certificates in labels Traefik v2 docker , letsencrypt-acme	3	4452	October 23, 2022
Traefik will not use Cloudflare origin certificate Traefik v3 (latest) docker	5	532	January 10, 2025
Cloudflare DNS + Local Domain Certificates Traefik v2 docker , file	4	6109	November 27, 2023
Labeled containers get correct SSL certificate, file-defined containers get self-signed Traefik v2 file , letsencrypt-acme	3	2493	November 28, 2023

Specify a certificate to use through docker labels (Cloudflare origin certs)

Related topics