My boring Blog

Mauro Frigerio blog

How to use Tailscale certificates with Traefik

19-05-2024 2 min read Article

The new release of Traefik with major release 3, introduced some new features. Among them is the integration with Tailscale certificates. This new feature makes it easy to have certificates for https.

Of course, there are some limitations and they must be considered (installation on docker):

  1. Tailscale must be running on the machine on which docker is running
  2. currently (see #9772) may only apply for the certificate of the local machine (hostname defined on Tailscale admin panel)

Tailscale configuration

Several guides can be found on how to create Tailscale networks, so it will not be part of this guide. To make the next step work, the following points must be configured (administration console, in the DNS tab):

  1. a name must be defined for the Tailnet (in this example
  2. activate MagicDNS
  3. activate the HTTPS certificates

To test operation you need two machines, one running docker (in this example I will use server-traefik as the hostname on Tailscale). Both must be part of a Tailscale network and be able to communicate with each other (be careful if you have configured any ACLs).

Before going to the next step, make sure that the Tailscale network is started with the command (on linux):

sudo tailscale up

Traefik configuration

Here is an example of configuration with docker compose to get a working example (derived from documentation).



    image: traefik:v3.0
    container_name: traefik
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.address=:80"
      - "--certificatesresolvers.myresolver.tailscale=true"
      - 80:80
      - 443:443
      - 8080:8080
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock

    image: containous/whoami:latest
    container_name: whoami
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(``)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

Now you can create containers with the command:

sudo docker compose up -d

Now you can enter in your browser to view the ẁhoami container information and enjoy! If it does not work you can connect to port 8080 and see the current configuration loaded by Traefik.