My boring Blog

Mauro Frigerio blog

Cloudflare origin certificates in Traefik

23-07-2022 3 min read Article

Using Cloudflare as a DNS provider for your domains, you can take advantage of its SSL certificates to secure your websites. So you don’t have to struggle with Traefik and Let’s Encrypt to generate your own certificates.

This guide is also useful if you use the free domains described in this post, because Cloudflare blocks the creation of certificates via Let’s Encrypt.


Cloudflare creates a dedicated certificate that allows the server to communicate only with Cloudflare’s servers. The certificate is not recognized as valid by the various browsers. Cloudflare’s proxies will then provide a certificate that is valid and recognized by all major browsers.

Cloudflare origin certificate

Cloudflare’s origin certificate allows secure communication (HTTPS) between your server and Cloudflare’s server. Direct communication between your server and a browser is possible, but the browser does not recognize the provided certificate as valid.

How to generate a origin certificate

  1. Log in to the Cloudflare dashboard and open the settings for the domain concerned

  2. In the SSL/TLS menu and then Overview turn on the Full (strict) mode option.

  3. In the SSL/TLS menu and then Origin Server you can generate the certificate by clicking Create Certificate. The default options should already be the correct ones, so click on the Create button at the bottom.

  4. Copy and save to a file with the name you choose (I recommend domain-name.key) the private key

  5. Copy and save in a file with the name you choose (I recommend domain-name.pem) the generated certificate

  6. Save the files in a folder accessible from the Traefik docker container

Traefik configuration

  1. In Traefik’s docker-compose add the folder where you saved the Cloudflare certificate, you can also use other certificates such as those from [Let’s Encrypt[( at the same time. In this case the folder is called: cert_traefik_examples_tk, roat the end of the line tells docker to read-only link the folder.
      - /var/run/docker.sock:/var/run/docker.sock  
      - /home/user/docker/traefik/acme.json:/acme.json
      - /home/user/docker/traefik/FileProvider/:/FileProvider/
      - /home/user/docker/traefik/cert_traefik_examples_tk:/cert_traefik_examples_tk:ro
  1. Add in the static configuration of Traefik the location and name information for the certificate and key. The example below is for a .toml file.
  certFile = "cert_traefik_examples_tk/cert_traefik_examples_tk.pem"
  keyFile = "cert_traefik_examples_tk/cert_traefik_examples_tk.key"
  1. Recreate the Traefik container with the command
sudo docker-compose up -d traefik


This solution is the only one applicable if you use Cloudflare to manage free domains such as .tk. The drawback, however, is the fact that you will never communicate locally with the server but always with Cloudflare’s servers. If you have a poor internet connection then this is not the ideal solution (double the traffic, round trip from Cloudflare). The advantage is that the certificate generated is valid for 15 years and you do not have to renew it every year (limits imposed by Apple).

Crediti Foto copertina di Rúben Gál da Pixabay