Traefik not using Acme SSL cert for API. Cloudflare 525 SSL handshake error

Hello, I had access to my dashboard while I had the api insecure set to true. I just switched it to false and now I am getting the Cloudflare 525 SSL handshake error. It looks like it is provided the Traefik default certificate but I tried adding settings to the dynamic config to have it pull a certificate.

        - "web"
        - "websecure"
      rule: Host(`traefik.[redacted]`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      service: api@internal
        - traefikAuth
        - chain
        certResolver: production
          -main: "traefik.[redacted]"
        options: "modern"

Any help would be great. I would hope that I don't have to keep it with API insecure true to access my dashboard through Cloudflare. All my other services still work through Cloudflare.

How is production set up in your static config?

What is CloudFlare doing for you? Is it terminating (decrypting) the TLS/SSL connection? Is it forwarding requests unencrypted or does it forward the TLS connection to Traefik? Or will it just provide a TLS/SSL certificate?

Do you have an active redirect 80->443 on your entrypoints in static config?

I have it set up the following way.

      email: "[redacted]"
      storage: /etc/traefik/certs/acme.json
        provider: cloudflare

I have the SSL/TLS set to Full on Cloudflare. I read something about dropping it to Flexible, but I don't want to do that. I do not see anything that protects from Cloudflare to the server and how that is handled. But when I go to the Traefik dashboard, it showed the Traefik default cert when set to insecure, not that it is set to secure in the API, I am getting the sni.cloudflare signed cert when I try to go to the dashboard but I am getting the 525 still.

You could try without this. Domain will be taken from Host().

I did this, and I am back to getting a 404 on the site for some reason. No more 525 errors though, just cant access the dashboard.

I would say that is good, because TLS comes before internal routing.

Have you tried those URLs? Take note of the trailing slash.


Check your Traefik access logs.
Check your Traefik debug logs.
Check your browser's developer tools' network tab.

You still haven't shared your full config (docker, static, dynamic), so it's still hard to help you.