Discussion - Treafik Cert Issues with CloudFlare | PlexGuide.com

Discussion Treafik Cert Issues with CloudFlare

  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now

bodgeup

Experienced
Original poster
Staff
FreeLancer
Donor
Aug 12, 2018
96
32
As i posted here : -

Cloudflare banned those free TLD domain suffixes .TK .ML .CF .GA .GQ so they wont work via the traefik API so you have to add the TXT record for _acme-challenge manually looking at the Portainer Traefik container logs for the value to add when the cert is up for renewal! Or do what i did and just use DuckDNS with Traefik and PG and then CNAME fwd your TK domain name to the Duckdns fqdn using the Orange CF proxy to get around the Cert SNI difference!

So if you use a domain TLD suffix as above then either do it manually like i mentioned or use another Domain DNS provider with you free TLD suffix. Personally i love DuckDNS but thats just my preference!! Its not anything wrong with Plexguide its CloudFlare blocking the API so if your Certs not being setup initially or its not auto renewing thats why!!

Bodgeup

PS
Traefik 2.2.1 is in the works just sorting its PGShield config before gen rls'ing but Traefik 1.7 still works perfe
 
  • Like
Reactions: 1 users

timetrex

Elite
Staff
Oct 22, 2018
218
56
You could also download ca orgin certifcate from cloudflare and point traefik to use that, think that's valid for 15 years.
 

bodgeup

Experienced
Original poster
Staff
FreeLancer
Donor
Aug 12, 2018
96
32
The orange CF web proxy does it anyway the client to CF traffic is encrypted using CF cert then the CF to Server traefik can work fine with a diff cert even the Traefik Default Cert works but thats why I use DuckDNS so my Traefik can setup its cert every 90 days automatically then CF to my DuckDNS fqdn via CNAME works as long as u use CF Orange Proxy otherwise clients will see HTTPs warning from incorrect SNI. Adding your own cert to Traefik is just too long i think as you read only it when uploading but still its far easier to just let CF's SSL and Orange web proxy do the work so you dont have too!! The main point is the client always uses a HTTPs connection to CF.
 
  • Like
Reactions: 1 user

timetrex

Elite
Staff
Oct 22, 2018
218
56
The main point is to have full end to end encryption. Adding your own certificate to traefik, takes 2 seconds which could be deployed in future plexguide deployments to make it more seamless.
 

bodgeup

Experienced
Original poster
Staff
FreeLancer
Donor
Aug 12, 2018
96
32
Have you tried to add your own cert yourself yet?? Its not as easy as it seems!! But if it works for you then go for it!! Also CF does do encrypted HTTPS to the server still it just gets around those HTTPs browser warnings from mismatched SAN names in the certs.

But as i say if it works sweet, personally i haven't tried adding my own cert yet. Does it work on the TLD app and subdomain apps fqdns?? Reason i ask is ive seen Treafik add the correct cert for the subdomain apps but leaves the default cert in for set TLD app but think that only requires a server reboot to fix. Also interested to hear how to add certs into traefik whats the path there stored in on the traefik container?? I know you can mod the Traefik_info file to add in CA storage to a path but its not there by default only the acme.json file?
 

Recommend NewsGroups

      Up To a 58% Discount!

Trending