Cloudflare origin certificates in Traefik
Using Cloudflare as a DNS provider for your domains, you can take advantage of its SSL certificates to secure your websites. So you don’t have to struggle with Traefik and Let’s Encrypt to generate your own certificates.
This guide is also useful if you use the free domains described in this post, because Cloudflare blocks the creation of certificates via Let’s Encrypt.
Cloudflare creates a dedicated certificate that allows the server to communicate only with Cloudflare’s servers. The certificate is not recognized as valid by the various browsers. Cloudflare’s proxies will then provide a certificate that is valid and recognized by all major browsers.
Cloudflare origin certificate
Cloudflare’s origin certificate allows secure communication (HTTPS) between your server and Cloudflare’s server. Direct communication between your server and a browser is possible, but the browser does not recognize the provided certificate as valid.
How to generate a origin certificate
Log in to the Cloudflare dashboard and open the settings for the domain concerned
SSL/TLSmenu and then
Overviewturn on the
Full (strict)mode option.
SSL/TLSmenu and then
Origin Serveryou can generate the certificate by clicking
Create Certificate. The default options should already be the correct ones, so click on the
Createbutton at the bottom.
Copy and save to a file with the name you choose (I recommend domain-name.key) the private key
Copy and save in a file with the name you choose (I recommend domain-name.pem) the generated certificate
Save the files in a folder accessible from the Traefik docker container
- In Traefik’s
docker-composeadd the folder where you saved the Cloudflare certificate, you can also use other certificates such as those from [Let’s Encrypt[(https://letsencrypt.org/) at the same time. In this case the folder is called:
roat the end of the line tells docker to read-only link the folder.
volumes: - /var/run/docker.sock:/var/run/docker.sock - /home/user/docker/traefik/acme.json:/acme.json - /home/user/docker/traefik/FileProvider/:/FileProvider/ - /home/user/docker/traefik/cert_traefik_examples_tk:/cert_traefik_examples_tk:ro
- Add in the static configuration of Traefik the location and name information for the certificate and key. The example below is for a
[[tls.certificates]] certFile = "cert_traefik_examples_tk/cert_traefik_examples_tk.pem" keyFile = "cert_traefik_examples_tk/cert_traefik_examples_tk.key"
- Recreate the Traefik container with the command
sudo docker-compose up -d traefik
This solution is the only one applicable if you use Cloudflare to manage free domains such as
.tk. The drawback, however, is the fact that you will never communicate locally with the server but always with Cloudflare’s servers. If you have a poor internet connection then this is not the ideal solution (double the traffic, round trip from Cloudflare). The advantage is that the certificate generated is valid for 15 years and you do not have to renew it every year (limits imposed by Apple).