JRehkemper.de

Add Custom SSL Certificate to Traefik

If you have internal services behind a Traefik reverse proxy and want to use ssl certificates, you have two options:
By default traefik will use it’s own selfsigned certificate. This works fine for encrypting your connections, but your browser will always complain, that it is not secure.
To solve this we can use certificates from a custom CA. I have a post to deploy one here.

Configure Traefik

Depending on your setup some paths may vary. Adjust them to your setup.

In my docker-compose.yml I have a volume mount for certificates.

services:
	treafik:
		...
		volumes:
			...
			- ./ssl-certs:/etc/treafik/certs
		...


The first step will be, to copy our certificate into this directory. Again your path is probably different.

$ cp mycert.crt <your-path-to-docker-compose.yml>/ssl-certs
$ cp mykey.pem <your-path-to-docker-compose.yml>/ssl-certs

Next we need to instruct traefik to use this certificate. This is done by editing the main configuration file of traefik. Mine is called treafik.ymland is mounted under /etc/traefik/traefik.yml.
In there scroll to the tls section and add the following.

tls:
	certificates:
		- certFile: /etc/traefik/certs/mycert.crt
		  keyFile: /etc/traefik/certs/mykey.pem

And that’s it. Traefik will check if any containers have Host-Rules that match with the CN of the certificate and apply the certificate that you provided.

If it does not work, make sure that your certificate includes an subjectAlternativeNames section.

profile picture of the author

Jannik Rehkemper

I'm an professional Linux Administrator and Hobby Programmer. My training as an IT-Professional started in 2019 and ended in 2022. Since 2023 I'm working as an Linux Administrator.