TLS Certificates
Info
When a router has to handle HTTPS traffic, it should be specified with a tls field of the router definition.
Certificates Definition¶
Automated¶
See the Let's Encrypt page.
User defined¶
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the dynamic configuration, in the [[tls.certificates]] section:
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls.certificates]]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"Restriction
In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores). However, in Kubernetes, the certificates can and must be provided by secrets.
Certificates Stores¶
In Traefik, certificates are grouped together in certificates stores.
Restriction
Any store definition other than the default one (named default) will be ignored,
and there is therefore only one globally available TLS store.
In the tls.certificates section, a list of stores can then be specified to indicate where the certificates should be stored:
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
stores:
- default
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
stores = ["default"]
[[tls.certificates]]
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"Restriction
The stores list will actually be ignored and automatically set to ["default"].
Default Certificate¶
Traefik can use a default certificate for connections without a SNI, or without a matching domain. This default certificate should be defined in a TLS store:
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"If no defaultCertificate is provided, Traefik will use the generated one.
ACME Default Certificate¶
You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate. The configuration to resolve the default certificate should be defined in a TLS store:
Precedence with the defaultGeneratedCert option
The defaultGeneratedCert definition takes precedence over the ACME default certificate configuration.
tls:
stores:
default:
defaultGeneratedCert:
resolver: myresolver
domain:
main: example.org
sans:
- foo.example.org
- bar.example.org[tls.stores]
[tls.stores.default.defaultGeneratedCert]
resolver = "myresolver"
[tls.stores.default.defaultGeneratedCert.domain]
main = "example.org"
sans = ["foo.example.org", "bar.example.org"]labels:
- "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"{
"Name": "default",
"Tags": [
"traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver",
"traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org",
"traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
]
}Using Traefik OSS in Production?
If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.