Traefik will not use Cloudflare origin certificate

I am trying to switch to Traefik from (mostly) working NPM setup.(NPM container is removed) Tearing my hair out as I cannot get this working. :slight_smile: :crazy_face:

Here is the setup:

  • Cloudflare handles DNS with domain . com cname pointing to cloudlfare tunnel id and service.domain.com pointing to ,domain . com
  • a Cloudflare tunnel (cloudflared container) has ingress tag to traefik container on ip:443.
  • Traefik is SUPPOSED to be using the Cloudlfare origin certificate with wildcard *domain . com and domain . com
  • cloudflared reports this error when trying to browse to the service:(I doxxed the domain in error below)
    0 event=1 ingressRule=0 originService=ip:443
    2025-01-07T18:02:18Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for 417535e44f2170bcc257fc4713f4b77f.6eb61e76881069d82d6f7588ef630a44.traefik.default, not MYDOMAIN . com" connIndex=0 dest=service.domain.com/ event=0 ip=198.41.192.77 type=ws

here are all the relevant files:

Traefik Docker Compose:

services:
traefik:
image: traefik:v3.2.3
container_name: CASA_TRAEFIK
command:
- "--configFile=/etc/traefik/traefik.yml" # Point to the external traefik.yml
ports:
- 80:80
- 443:443
- 8079:8080 # Web UI port
environment:
- CF_API_EMAIL=MYCLOUDFLAEMAIL
- CF_API_TOKEN=MYAPITOKEN # Cloudflare API Token
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt # Persistent storage for certificates
- ./certs:/etc/traefik/certs # Mount the directory containing your Cloudflare certificates
- ./traefik.yml:/etc/traefik/traefik.yml # Mount the custom traefik.yml config
networks:
- casaproxy
labels:
- homepage.group=Network
- homepage.name=Traefik
- homepage.icon=traefik.png
- homepage.description=Reverse Proxy
- homepage.widget.type=traefik
- homepage.widget.url=IP
networks:
casaproxy: # Define the internal network
driver: bridge # Default network driver

Here is my traefik.yml:

################################################################

Global configuration

################################################################
global:
checkNewVersion: true
sendAnonymousUsage: true

################################################################

EntryPoints configuration

################################################################
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: "websecure"
scheme: "https"

websecure:
address: ":443"

################################################################

Traefik logs configuration

################################################################
log:
level: DEBUG

################################################################

API and dashboard configuration

################################################################
api:
insecure: true # Enable insecure API for monitoring
dashboard: true # Enable Dashboard (set to false to disable it)

################################################################

Providers configuration

################################################################
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # Docker socket
exposedByDefault: false # Do not expose containers by default
defaultRule: "Host({{ normalize .Name }})" # Default rule for container names

file:
directory: "/etc/traefik" # Directory to watch for certificates (dynamic config)
watch: true # Watch for changes in dynamic config

################################################################

Certificates Resolver for Cloudflare

################################################################
certificatesResolvers:
cloudflare:
acme:
dnsChallenge:
provider: cloudflare # Use DNS challenge for Cloudflare
email: MYCLLOUDFLAREMAIL # Your Cloudflare email
storage: "/letsencrypt/acme.json" # Path to store ACME certificates

my certs.yml

Dynamic configuration (certs.yml or dynamic.yml)

tls:
stores:
default:
defaultCertificate:
certFile: "/etc/traefik/certs/cloudflare-origin.pem"
keyFile: "/etc/traefik/certs/cloudflare-origin.key"
certificates:
- certFile: "/etc/traefik/certs/cloudflare-origin.pem"
keyFile: "/etc/traefik/certs/cloudflare-origin.key"

please ignore the weird domain . com - I could not post with more than 4 links and every instance was seen as a link..............sigh.

Got this working. Full post here:

I would enable TLS directly on websecure entrypoint, not on every router.

thanks for the feedback @bluepuma77 I guess it is a bit redundant.

I'll test to ensure everything still works with one example and then update. cheers!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.