Install SSL Certificate on Traefik

Install SSL Certificate on Traefik

Overview

To secure connections on your server, you need to install an SSL certificate on your Traefik instance. This ensures encrypted traffic between VergeCloud and your backend services. When SSL is properly configured in Traefik, all incoming and outgoing traffic between VergeCloud’s edge network and your infrastructure is protected with encryption. This means no one can intercept or modify the data flowing between them, which is crucial for sensitive applications, API services, and any workload that handles authentication or private user information. Because Traefik is often used as a central entry point for multiple backend services, securing it with a correctly configured SSL certificate becomes even more important. Without proper encryption, every service behind Traefik would be exposed to unnecessary risk, so installing and maintaining your SSL certificate is an essential part of managing a secure environment.

Prepare the Certificate and Private Key

You can use your own SSL certificate and private key or generate a free certificate from the SSL/TLS → Origin Server section in the VergeCloud dashboard. This Origin SSL certificate is specifically designed to secure the communication between VergeCloud and your origin server. If you choose to generate one through VergeCloud, the process is straightforward, and the dashboard guides you through downloading both the certificate file and the private key. The private key should always be handled with extreme care because it represents the cryptographic identity of your server. Anyone who gains access to it could impersonate your server in ways that would be difficult to detect. Before proceeding with installation, make sure you read the VergeCloud documentation on Origin SSL so you understand how long the certificates remain valid, how often they must be renewed, and how they are meant to be used with reverse proxies such as Traefik.

Upload to Server

Place the certificate and key files on your Traefik host so that Traefik can read them. This location might be inside a Docker volume, a bind mount, or a local path if you are running Traefik directly on the host system. A commonly used directory path looks like this:

/etc/ssl/vergecloud/certificate.crt
/etc/ssl/vergecloud/private.key

It is important that these files are stored securely and that the directory containing them is readable only by the process that runs Traefik. If you are using Docker, be sure that the certificate files are mounted into the container intentionally and not included inside the container image itself. Mounting them through a volume ensures they remain private and can be updated without rebuilding images. When transferring the certificate files from your local machine to the Traefik server, always use encrypted transfer methods such as SCP or SFTP. Never upload them through unsecured file sharing services or expose them inside public repositories. The safety of your SSL setup depends heavily on maintaining the confidentiality of the private key.

Redirect HTTP to HTTPS

To ensure that all incoming traffic uses encrypted HTTPS, add a middleware and router that automatically redirects all HTTP requests. This prevents users or automated clients from accidentally communicating with your service over an insecure connection. In your Traefik configuration, define a middleware that performs a permanent redirect to HTTPS and then attach that middleware to an HTTP router. For example:

http:
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: true

routers:
http-router:
entryPoints:
- web
rule: "Host(yourdomain.com)"
middlewares:
- redirect-to-https
service: noop@internal

This setup ensures that any request arriving on entry point web, which corresponds to port 80, is immediately forwarded to the secure HTTPS version. Using noop@internal simply provides a placeholder service for the redirect since no backend service needs to be called at this stage.

Update Traefik Configuration

In your Traefik static or dynamic configuration, you must reference the SSL certificate and private key that you uploaded earlier. Traefik uses these files to perform the TLS handshake when clients connect. Add the following:

tls:
certificates:
- certFile: "/etc/ssl/vergecloud/certificate.crt"
keyFile: "/etc/ssl/vergecloud/private.key"

This configuration instructs Traefik to load your VergeCloud Origin certificate and private key and present them to clients during secure connections. If you are running multiple domains or certificates, you can include additional entries, but in most simple setups, a single certificate is enough. After adding these entries, double-check the paths to be sure they match exactly where the files are stored on your server or Docker volume.

Reload Traefik

If you are using Docker, restart the Traefik container so that it reads the updated certificate files and configuration:

docker restart traefik

Restarting reloads the TLS configuration and ensures Traefik immediately begins serving the new certificate. If you are not using Docker and instead running Traefik directly on the host, restart the service using your system’s service manager.

Testing/Validation

After setup, test your certificate with the following command:

openssl s_client -connect yourdomain.com:443

This allows you to inspect the certificate being served by Traefik, verify that the certificate chain is correct, and confirm that the SSL handshake completes successfully. It is a helpful troubleshooting tool if Traefik is not loading the certificate correctly or if permissions prevent Traefik from reading the key file.

Considerations:

Private key security is critical. Ensure that only the Traefik process or container has access to the certificate files. Avoid placing them inside publicly distributed Docker images, as this would expose your private key to anyone who downloads the image. VergeCloud Origin certificates renew every ninety days, so you must replace the certificate and private key on your server each time they are renewed. After updating the files, reload Traefik so the changes take effect. Keeping your certificate up to date and secured is essential for maintaining a trusted and encrypted connection.

    • Related Articles

    • Origin SSL Certificate

      Overview VergeCloud provides the ability to generate free SSL certificates specifically for origin servers. These certificates are designed to secure the communication between VergeCloud’s edge network and your web infrastructure. By deploying an ...

    • Install SSL Certificate on HAProxy

      Overview To secure connections on your server, you need to install an SSL certificate on your HAProxy instance. This ensures encrypted traffic between VergeCloud and your backend services. Because HAProxy commonly sits as the entry point in front of ...

    • Install SSL Certificate on Apache

      Overview To secure connections on your server, it is essential to install an SSL certificate on your Apache server. Doing this ensures that all communication between VergeCloud and your backend infrastructure is encrypted, protected from ...

    • Install SSL Certificate on IIS

      Overview Securing your application hosted on Windows Server is an essential step to ensure that all communications between VergeCloud and your server remain encrypted and protected. Installing an SSL certificate in Internet Information Services, or ...

    • Install SSL Certificate on NGINX webserver

      Overview To secure connections between VergeCloud and your backend, you must install an SSL certificate on your NGINX server. This is one of the most important steps in ensuring that all data passing between VergeCloud and your server remains ...