TLS Stores For Different Certificates But Same Exact Domain

Traefik Traefik v3 (latest)
,
1

I have 2 certificates for the same exact domains example.com and *.example.com

one is private self-signed and the other is public cloudflare certificates

how can i set this up so that i can reference the self signed for the services that need to use self-signed and the cloudflare for the services that need to use the cloudflare one?

here is my current setup for the dynamic.yaml file

tls:
  certificates:
    # cloudflare certs for example.com and *.example.com
    - certFile: "/etc/certs/cloudflare-cert.pem"
      keyFile: "/etc/certs/cloudflare-key.pem"   
    # self-signed certs for example.com and *.example.com
    - certFile: "/etc/certs/self-signed-cert.pem"
      keyFile: "/etc/certs/self-signed-key.pem"


  stores:
    default:
      defaultCertificate:
        certFile: "/etc/certs/cloudflare-cert.pem"
        keyFile: "/etc/certs/cloudflare-key.pem"

volume mount on traefik.yaml file
using traefik v3.2.5 from traefik dashboard

services:

  traefik:
    image: "traefik:v3.2"
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host



    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/data/traefik/conf/dynamic.yaml:/etc/traefik/dynamic.yaml:ro"
      - "/data/traefik/certs:/etc/certs:ro"

the dir/file permissions on host where traefik container running on

# ls -lha /data/traefik/
total 24K
drwxr-xr-x  6 root root 4.0K Jul 12 04:41 .
drwxr-xr-x 13 root root 4.0K Jul  8 09:01 ..
drwxr-xr-x  2 root root 4.0K Jul 12 04:41 certs
drwxr-xr-x  2 root root 4.0K Jul 12 04:53 conf
drwxr-xr-x  2 root root 4.0K Nov 11  2024 config

# ls -lha /data/traefik/certs/
total 48K
drwxr-xr-x 2 root root 4.0K Jul 12 04:41 .
drwxr-xr-x 6 root root 4.0K Jul 12 04:41 ..
-rw-r--r-- 1 root root 1.7K Mar 18 07:02 cloudflare-cert.pem 
-rw-r--r-- 1 root root 1.7K Mar 18 07:02 cloudflare-key.pem  
-rwxr-xr-x 1 root root 1.7K Jul 12 04:41 self-signed-cert.pem
-rwxr-xr-x 1 root root 1.7K Jul 12 04:41 self-signed-key.pem

# ls -lha /data/traefik/conf
total 44K
drwxr-xr-x 2 root root 4.0K Jul 12 04:53  .
drwxr-xr-x 6 root root 4.0K Jul 12 04:41  ..
-rw-r--r-- 1 root root  466 Jul 12 10:33  dynamic.yaml

so how do i update these so that app-1.yaml uses cloudflare certs

services:

  app-1:
    image: "app/app-1:latest"
    networks:
      - secret
    env_file:
      - .env.app-1
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
          - node.labels.node != server-a
      update_config:
        parallelism: 1
        order: start-first
        monitor: 5s
      labels:
        traefik.enable: "true"
        traefik.docker.network: secret
        traefik.http.services.app-1.loadbalancer.server.port: "8080"
        traefik.http.routers.app-1-http.entrypoints: http
        traefik.http.routers.app-1-http.rule: Host(`app-1.example.com`)
        traefik.http.routers.app-1-https.entrypoints: https
        traefik.http.routers.app-1-https.rule: Host(`app-1.example.com`)
        traefik.http.routers.app-1-https.tls: "true"

networks:
  secret:
    external: true

and app-2.yaml uses self-signed certs?

services:

  app-2:
    image: "app/app-2:latest"
    networks:
      - secret
    env_file:
      - .env.app-2
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
          - node.labels.node != server-a
      update_config:
        parallelism: 1
        order: start-first
        monitor: 5s
      labels:
        traefik.enable: "true"
        traefik.docker.network: secret
        traefik.http.services.app-2.loadbalancer.server.port: "8080"
        traefik.http.routers.app-2-http.entrypoints: http
        traefik.http.routers.app-2-http.rule: Host(`app-2.example.com`)
        traefik.http.routers.app-2-https.entrypoints: https
        traefik.http.routers.app-2-https.rule: Host(`app-2.example.com`)
        traefik.http.routers.app-2-https.tls: "true"

networks:
  secret:
    external: true
2

When you already have a Cloudflare public TLS cert, why would you want to use a private TLS cert, when the service is public anyway?

When you want to serve two certs, what are the criteria to select them? Internal requests from 10.0.0.x get the private cert?

3

there are private apps that are not exposed publicly that i want to use the self-signed certificates for that is why

app-1.example.com is public and exposed publicly and thus use the cloudflare certs

app-2.example.com is private and not exposed, internal only and that will use the self-signed certificates

4

I have opened a feature request for this

it is sad that traefik developers decided to force everyone to only use 1 TLS store and all use cases in the world means 1 certificate is for 1 domain and that is final, no other possibilities exists

just sad but here it is, please upvote if you agree

5

It seems you are the first person in many years to want this feature. Why should they invest their resources into this?

Traefik is open source, you can implement the change yourself and provide a pull request.

6

You think no one wants or needs this? Most people do not come on forums to post like am doing

Have you ever thought of no downtime certificate update? Do you think that will be another use case for this?

7

We do no-downtime TLS cert updates for years with Traefik. It just works with certResolver and custom TLS certs via (watched) dynamic config file.

8

common man, not everyone is using letsencrypt. Some people use other types for whatever other reasons

9

I don’t get your point. You can use any kind of TLS cert. Reference or inline it in a dynamic config file. When watched, it is seamlessly updated, no service interruption.

10

You lost me at " same exact domains". example.com and *.example.com are not the same, and Traefik easily lets you set up routing rules for each separately.