Installing an SSL Certificate on Traefik

Installing an SSL Certificate on Traefik

Samantha Clark

Traefik has become the default edge router for container deployments, and it handles SSL Certificates through dynamic configuration files that it watches and reloads automatically. That automation is a genuine advantage, because a correctly placed SSL Certificate goes live without restarting anything.

This guide covers installing an issued SSL Certificate on Traefik 2 and 3 using the file provider, which is the standard approach for SSL Certificates obtained outside of Traefik itself.

Prerequisites and Required Files

You need access to the Traefik host with permission to edit its configuration, plus a websecure entrypoint that terminates Transport Layer Security (TLS) on port 443 in the static configuration, which most installations already have.

You also need your issued SSL Certificate, the ca-bundle containing the Intermediate Certificates, and the Private Key generated with your Certificate Signing Request (CSR). The first two are available in the tracking system at any time. View Our Tracking & SSL Management 🔗

Preparing the SSL Certificate Files

Traefik reads the chain from the same file as the SSL Certificate, so concatenate the two before deployment, with your own SSL Certificate first.

cat yourdomain.crt yourdomain.ca-bundle > /opt/traefik/certs/yourdomain-fullchain.crt

Copy the Private Key alongside it and lock the permissions down, since the key should never be readable by other users on the host.

sudo chmod 600 /opt/traefik/certs/yourdomain.key

Before configuring anything, confirm the SSL Certificate and Private Key actually pair. Two quick OpenSSL commands extract the public key from each, and the two hash values must match exactly.

openssl x509 -in yourdomain-fullchain.crt -noout -pubkey | openssl sha256
openssl pkey -in yourdomain.key -pubout | openssl sha256

Configuring the Dynamic TLS File

Traefik loads SSL Certificates from a dynamic configuration file watched by the file provider. Confirm the static configuration enables the provider against your dynamic directory, then create the TLS definition.

# /opt/traefik/dynamic/tls.yml
tls:
  certificates:
    - certFile: /opt/traefik/certs/yourdomain-fullchain.crt
      keyFile: /opt/traefik/certs/yourdomain.key

Container deployments mount the certs directory into the Traefik container, in which case the paths above must reflect the in-container mount point rather than the host path.

No restart is needed when the file provider has watch enabled. Traefik detects the new file, loads the SSL Certificate, and begins presenting it to clients whose requested hostname matches, selected automatically through Server Name Indication (SNI).

Routing HTTPS Traffic

The SSL Certificate becomes visible once a router terminates TLS on the websecure entrypoint for the matching hostname. Routers defined through Docker labels simply need their tls flag enabled, while file-based routers declare it explicitly.

# /opt/traefik/dynamic/router.yml
http:
  routers:
    yourdomain-secure:
      entryPoints:
        - websecure
      rule: "Host(`yourdomain.com`)"
      service: yourdomain-service
      tls: {}

Note : When no configured SSL Certificate matches the requested hostname, Traefik serves its built-in self-signed default rather than failing. A browser warning showing TRAEFIK DEFAULT CERT therefore means the hostname did not match, usually due to a typo in the rule or a missing entry in the tls.yml file.

With the router matching and the SSL Certificate loaded, the final step is confirming what clients actually receive.

Verifying the Installation

Load the site over HTTPS and confirm your SSL Certificate appears rather than the Traefik default. Then run an external scan to confirm the full chain reaches fresh clients correctly. Trustico® provides free checking tools for this final confirmation. Explore Our Trustico® SSL Tools 🔗

Chain warnings at this stage mean the fullchain concatenation was skipped and the bare SSL Certificate is being served. Rebuild the combined file and let the file provider pick it up. Learn About Intermediate Certificates 🔗

Automating Future Replacements

Traefik environments suit automation particularly well, since the platform already reloads SSL Certificates without intervention. With industry validity periods reducing in stages over the coming years, pairing Traefik with automated issuance removes the manual replacement cycle entirely.

Trustico® provides Certificate as a Service (CaaS) for exactly this purpose. Learn About Certificate as a Service (CaaS) 🔗

Professional Installation Assistance

Traefik configurations span simple single host setups through to orchestrated clusters, and the dynamic configuration model can hide mistakes quietly.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering SSL Certificate installation on Traefik, including the file provider, fullchain preparation, key matching with OpenSSL, dynamic TLS configuration, the TRAEFIK DEFAULT CERT diagnostic, Certificate as a Service (CaaS) automation, and the Trustico® Premium Installation service.

Automatic Reloading Through the File Provider

Traefik handles SSL Certificates through dynamic configuration files that it watches and reloads automatically, so a correctly placed SSL Certificate goes live without restarting anything. The file provider approach applies to Traefik 2 and 3 and is the standard method for SSL Certificates obtained outside of Traefik itself.

Preparing the Fullchain File and Private Key

Traefik reads the chain from the same file as the SSL Certificate, so concatenate your own SSL Certificate first followed by the ca-bundle before deployment. Copy the Private Key alongside it and lock the permissions down, since the key should never be readable by other users on the host.

Matching the SSL Certificate and Private Key with OpenSSL

Before configuring anything, confirm the SSL Certificate and Private Key actually pair. Two quick OpenSSL commands extract the public key hash from each file, and the two hash values must match exactly.

Defining SSL Certificates in the Dynamic TLS File

The dynamic configuration file declares each SSL Certificate through certFile and keyFile entries, and container deployments must use the in-container mount point rather than the host path. With watch enabled, Traefik detects the new file, loads the SSL Certificate, and presents it to matching hostnames automatically through Server Name Indication (SNI).

Decoding the TRAEFIK DEFAULT CERT Warning

When no configured SSL Certificate matches the requested hostname, Traefik serves its built-in self-signed default rather than failing. A browser warning showing TRAEFIK DEFAULT CERT therefore means the hostname did not match, usually due to a typo in the router rule or a missing entry in the dynamic TLS file.

Automating Replacements with Certificate as a Service (CaaS)

Traefik environments suit automation particularly well, since the platform already reloads SSL Certificates without intervention. With industry validity periods reducing in stages over the coming years, pairing Traefik with Certificate as a Service (CaaS) from Trustico® removes the manual replacement cycle entirely.

Premium Installation Assistance for Traefik Environments

Traefik configurations span simple single host setups through to orchestrated clusters, and the dynamic configuration model can hide mistakes quietly. Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom