Put Wildcard Certificates and SSL on EVERYTHING - Traefik + Portainer Tutorial

What are you using to get your certificates?

Half the views came from me watching it over and over.

I know this is an older video, but I just wanted to drop in and say thank you. I really appreciate all you do for the community

The best video on SSL with Portainer and Træfik, period. Thank you so much for your slow and clear approach with excellent quality of video. Keep up the great work Tim! 🐧

This is literally my first ever comment in 8 years. I really enjoy your content. You keep it simple, relatable, and most importantly you tied different services together not just one by one in all different videos. You show the end game scenario. Patreon it is brother.

Just wanted to say thank you, Tim!!! I've been wanting to set up ssl for a few months now but have been intimidated by it all. After learning how to create a ansible playbook to update,upgrade-dist for my VMs last week . I was like I can do this ssl thing so I bought a domain and watched this video like 10 times but I now have my local services all running with ssl thanks to you. All your videos are great and very infomitve. You and the homelab CZcams community is amazing .. thank you again so much

I was originally soooo frustrated following this tutorial. I went step by step, and took SEVEN hours just to figure out that I had some typos! Thanks @Techno Tim, amazing tutorial. I'm so glad I stuck it out! For anyone else struggling, highly recommend looking over your work even when you copy and paste!

I just found your channel and have binged a few videos as I’m right in the process of upgrading my home Proxmox server and home network. I swear you somehow have a video for exactly each thing I was about to do, with detailed instructions and configs (NUT, Proxmox setup, SSL and FQDM for local services, etc etc). These are fantastic jumping off points for my own custom configs and I love that you go into such detail and explain WHY you do things not just a list of steps, as I usually will want a different configuration and am even more interested in the why than the how. Fantastic channel, I hope to see you continue to grow it!

Came across this video just today, and I wanted to leave a comment for the algorithm, along with liking and subscribing. Really appreciate you giving away the hours of trial and error that it had to have taken to get these configs dialed in. I also appreciate your clear and straightforward delivery. Great job with this.

After almost 3 years, this still works like a charm... Save my life... Kudos 👏😎

I've watched this video twice fully and a few times in part over a period of several months. You've been a teacher for me and I appreciate you.

I've been looking to do that for over a year and a half and scratching my head because it all seemed far too complicated a setup to bother with it all. Until I finally found your video... Damn, that one is very useful and simple to follow... as well as sufficiently detailed to really understand how it works under. Very well done and useful, thanks!

Love using traefik! It was actually where I started my homelab. A friend showed me traefik and something about it just caught my interest. Started spinning up a bunch of different containers with configs just for the sake of it.
Great video!

I use Nginx proxy manager, but this looks neat. I really need to move to wildcard, my let’s encrypt list is getting a little silly now.
Thanks, Tim for all you do!

Tim thank you so much for this video and tutorial. I got this up and running for my internal services, and it inspired me to also set up a separate process for the stuff I wanted to take external. Keep it up!

Exactly what I needed man, thank you so much! Really enjoy the videos! Super clear and fun to watch!

Nice! I've been running this setup for a few years as well. With one difference: I configured the file provider to watch a directory of .yml files. (see the watch option and the directory option). This allows me to create a .yml file PER site and the watch option makes it so I don't have to restart the container and take down the proxy.

Absolutely love this channel. Incredible editing and great documentation. Just what I need to rebuild my homelab. :)

Awesome tutorial, been using traefik since 1.0 but this video helped me to understand a few things clearly, thanks for your work!

How do you literally upload exactly what i've been looking for, one day after i began reading up on it?!?
As always, awesome video!

I was struggling with setting up a reverse proxy yesterday, today this video pops up in my feed. Great timing! :D

Oh heck yeah!! Thanks Tim! This was just what I needed, like I mentioned last time!
The k8s focused rancher ones were great, but I have been running portainer with regular docker containers and hoping for inspiration to add traefik. Had been using Caddy for certs and it's really easy, but Traefik supports SSO with Authelia and Caddy doesn't. Any odds on setting up SSO with Authelia next? Thanks very much, you're the best!!

Hi Tim, great tutorial! I've been running SSL on all my homelabs projects for couple months now without any issues. But recently I had some problems renewing certificate. I found that I had to add 'delayBeforeCheck: 5' in traefik.yml file under dnsChallenge section for cert to renew. I guess Cloudflare has changed something on their end and I needed this line to add a delay for a few seconds otherwise I would always get certificate null error. You may want to add this to your documentation to help others encountering this issue. Banged my head for days until I figure this out. Thanks again for all your great tutorials.

love that i found your channel, learning more here than i did at uni

Amazing tutorial. I can't tell you how long I've been annoyed with my homelab services not using SSL or just using the self signed stuff... it's so nice to have these being properly secured now.

This seems to be a bit more complex then what I am doing directly with PFSense and its HA Proxy and ACME plugins, but I like the nice dashboard that Traefik provides! Thanks Tim for the nice walk through!

I definitely prefer your more advanced videos will you show a whole solution like these. Keep it up!!

I had spent two days trying to figure out how to do this, and I finally got it after carefully going through your video. Thank you so much for helping the community like this, I really appreciate it.

Dude! Nice work! It's not about the complexity, it's about the way you describe and explain something...you nailed both.

Techno Tim is legit the best. Really motivating and quality IT configuration content

Hey Tim, I'm having a hard time. I'm following this tutorial so that I can subsequently follow your pterodactyl tutorial and I think I may be in over my head. For example, @8.40 you say "just make sure you have a DNS entry pointing back to this portainer".
Now, you said that so casually.. but how do I do that? Where do I find this portainers IP? Is it the IP of the server portainer is running on, or do I find that in portainers dashboard? Should I be going further back in your tutorials until I understand the things in this tutorial that do dont fully explain? and if so, where do I start?
Thanks.

Tim! You seem to know what I am working on every time a video comes out. Thank You!!!

Big kudos to you Tim, a great guide and the only one I could find online that explains it so well! Keep on Rockin!!!!

In a more recent video (I think it was the overview of your whole lab) you mentioned you now have two instances of Traefik, one for external traffic, and the one described in this video.
I spent several days trying to set up a second instance to pass external traffic along, and was never able to get it to work. Would you be willing to do a more in depth tutorial about that setup?

Thank's for the video !
What about doing the same thing within and for Rancher ?

I stumbled upon your channel today (started with high availability pihole), and I am amazed by the quality of your videos! It was insta subscribe, and I hope you will continue the excellent work Tim!

You're a legend, this is a great match for my setup. Thanks for your research and hard work, saved me some time.

How do you decide whether to use Kubernetes or Docker?

Thanks for the video, can i add labels to a stack in another portainer environment (another proxmox host) ? how?

Thank you very much. I am rebuilding my homelab and I was looking for instructions about certificates. Greatly explained, thanks again!

Congrats for the tutorial! Very helpful. One of the best channels for the Home Lab enthusiasts.

Do you have network diagram, it helps some of us understand the flow and config easier.
Great vid as always, well explained. Thanks Tim

Hey Tim, this is awesome, I have got everything internally and external, to docker, set up flawlessly. However, I think I might be missing something, as I am a little stuck on how to configure this to allow internet-facing external access.
I have configured the Cloudflare DNS and port forwarded, but I think I am missing some key config on Traefik itself? I would absolutely love it if you could reply (or even make a video!) on how *you* would go about setting up internet facing services through Traefik!

brilliant, amazing work. affordable and very valuable. Tim, you are a great man.

great job man.. you're videos are always solid !! Greetings from Denmark

Tim, i think there's a bit of a confusion in commands... there are a bit of "cd .." which you show in video but missing on docs page... also the config.yaml is done in the data folder, not in its parent one, as in video... please share full folders structure for both portainer and traefik, thanks :)
oh, and again, you make a data folder inside portainer one, but you refer to the portainer one in docker-compose.yaml instead of data :)
edit: adding that the user:password (encoded via htpasswd) generates other errors on the docker-compose up -d command, because some "$" in the password which triggers some variable substitution in while running docker-compose, that should be escaped some way... i fixed by removing the initial and final backtick and converting double back-slashes to single ones
oh, and you need just the apache addon package, no need for the apache2 one to just generate password hashes

Heads up. It looks like in the video you create your traefik config.yml in the traefik directory (traefik/config.yml). But it's supposed to be at traefik/data/config.yml. I got hung up on this for a while. The documentation does show it in the right place, however.

I struggled so much with Swag and getting anything running securely. This vid honestly saved my sanity, thank you so much Tim!

It’s been a year but thank you for being an inspiration, you’re awesome 🎉

If you had a network map or diagram of each step you were configuring; that would help a lot.

Great video thx 👍
One question - could this had been done in Rancher ? Why not Rancher if yes, why docker ?

Hello Timothy, thanks for the tutorials. i've followed the documentation. finally it works

Thank you so much sir. I just have so many prerequisite skills that I need to learn to fully understand the concept.

Took me a while to get this working, but now everything is up and running thanks to your guide! TYVM!

thank for this between you and Christian Lempa I was able to get traefik working the way I wanted.

Interesting approach. I was using a domain for my home network but had to issue Lets Encrypt certs for each service I wanted to host on the network. I will need to give this a go. Thanks for the great tutorial (once again!)

Worked like a charm. Took me a while to figure out how to connect another DNS provider, but i got it up and running! Thank you very much

Man you are seriously awesome i am still trying to catch up to all the tutorials you post you are great

Just watched it again a year later..... amazing material, thank you Tim.

Thanks for the great tutorial. After fixing a few of my typos and scratching my head a bunch I got everything to work! Liked and subscribed!

simple
straight to the point! i am subscribing!

This is gold! Thank you for sharing, Tim! 👍🏅

Thanks a ton for this godly work :) I have completed my setup using AWS Route 53 DNS Provider.

I literally need to rewatch this, thanks TT

This is exactly what I needed! THANK YOU!!!!

We need more people you! Absolutely great explanations and content!

Duuuuuuuuude, just got this working now! Thanks for the guide Tim!

Congrats on almost 50k subscribers 👏🏼

This is an amazing video walkthrough. You are very good at educating and explaining things. Thank you.

Nice! I just learn how to config Round Robin and Failover under services in dynamic config file, I will implement this later. With this feature, this thing is even more powerful for home LAB.

You are awesome man!! TXH for sharing your nice stuff!

thanks for the great content man! you really know your stuff!

I've been watching your older videos because they seem to always be relevant LMAO, but really good stuff
Recently been testing out on containerizing/dockerizing my home lab/server utilities that were originally installed on host system
What are your thoughts, do you think it's better to install on host system? Or to install via docker(-compose)?

Very informative video. Thanks to you I finally got this working!

Best tutorial on this topic I have seen. Thank you!

Great video! Reverse proxy has always been a pain for me. Would love to see your take on scripting things like toolset installs or container initializations.

I patiently followed your guide, and now everything on my homelab is using wildcard certificate from my domain name
thank you, you are my inspiration for building self hosting app

I've been using NGINX for about 2 years to setup reverse proxy at home. This method seems ALOT easier in comparison to managing a long .conf file or multiple .conf files for subdomains. I'm gonna have to look into setting this up when I have a long weekend free

i love how you explain things, thank you for that

Hi Tim,super useful as Always..thank you!!!greetings from Italy.

@Techno Tim
Sorry Tim for this long reply , I just wanted to point out the importance of the topic to ensure privacy protection, so do not be tempted by the positives that they decorate for the public, because cloud servers, including cloudflare, can track all users of their platform! And many other negatives... That is why we had to find a private alternative that could not be tracked, even if it was difficult for us to protect it locally.
With much thanks and appreciation

When you mean everything, Probably can share more on integration of ssh, ldaps, smtps, and etc.
Thanks and appreciated for the knowledge sharing.

Tim, you are inspirational. I hope this small token of my appreciation keeps you inspired.

Thanks! Your videos are awesome and are extremely helpful as I start up my own home lab

Very straightforward and helpful, +1 for this video

I love the way this skips along the surface of the topic, allowing my brain to see the big picture with just enough anchor points to make it concrete and relatable. I know what a container and a reverse proxy and a DNS server are and how certificates work. I don’t need or want to be distracted by any explanations of those. We need to keep it moving or my buffer will overflow. I can explore sub-topics separately.
You have a perfect style for a top-down learner. Thank you.

THANK YOU SO MUCH! it took so long to try to set it up but it worked. THANKS!

Great video, took a about 5 hours to trouble shoot some issues, and when I worked them out felt stupid. For those like me who take a little time (yes a silly pun) to catch on. The txt record error in my case was fixed with adding a 5 minute delay to the letsencrypt request, `delayBeforeCheck: 5` put it after the dnsChallenge provider. Not sure why but I had issues with putting quotes around the ports in the compose file you did not have them, but when looking at Christian Lempa's recent video and compose file he did, once I removed them it fixed one of my issues. :)

Hey Man thanks for all your great efforts in this wonderful channel , yet i would ask you if is it worth to use traeffik or nginix only with port forwarding, or using cloudflare zeroTrust without port forwarding, or use them both.. In order to get optimum security for local network ?
Which is the best solution ?
Also, im confused if we could trust cloudflare for securing our network?

Thanks a lot, you helped me to setup Traefik perfectly.

You can do this if have a dynamic IP address from your ISP. I image most non business location are going to have a dynamic IP address from their ISP. There are several DDNS (Dynamic DNS) options, some free some a paid service. I use Cloudflare DNS, for this. In short you run/host a small utility that checks your current IP address at a set interval to your current DNS record. If it doesn't match then with an API key it updates the DNS record at Cloudflare. I use an inbound VPN, host a PBX, cloud storage, ect. and it just works despite having a dynamic IP address. I set it up in pfSense to handle the DDNS since it is at the head of the network. Not everyone is using pfSense, but there is also docker containers out there that do the same thing.

I think I'm getting myself confused on what to put in on the host sections. Is it the domain that I set up internally via pihole or is it the domain through cloud fare? I'm still getting familiar with things to setup my pterodactyl server. 😅 Love your videos by the way!

Thank you for your videos. I use videos like this to learn and I appreciate it so much.

Love these videos on ensuring that SSL is used ubiquitously across services. Is there any chance you can create the same but with NPM as Traefik is a bit of a pain to manage if there's a large count of dunning containers.

Thanks so much for the walkthrough, really straightforwards to follow, even for someone newer to self-hosting and linux.
I noticed at 5:17 you suggest binding to the docker socket; I've read on various other Traefik/docker guides that this can be a security liability. Have you ever tried addressing this? I noticed that /var/run/docker.sock was set as read-only in the docker-compose, but I heard this doesn't really get around the security issues.

Very helpful, thank you! I did notice that it didn't cover sending traffic via docker (these templates do ip:port), so I am diving in to see if I can find anything!

Thanks for great tutorial. Today i finished this and get ssl every container.

I prefer nginx for my reverse proxy currently. I do separate my internal records(bind) from my recursive resolver (pi-hole) bind has always been 100% reliable. And because of that it is the fallback for when pihole decides to become brain less (happens more than it should)

This is great video and got me up and running in no time, thanks 😊 I got a question tho, or a video request. How can you use this setup with multiple domains and ex 2 different cloudflare accounts? (I got my personal CF account with domainA, but also want to use a secondary CF account on domainB) is this something you could do a video on? Been all over Reddit/Traefik git issues etc but I can’t wrap my head around it.
Anyways, imma check out your stream and keep up the awesome videos :)

I've been wanting to make the switch from NPM to Traefik for the longest time, but the complexity has always caused be to shy away. This put me over the edge. Thanks so much @TechnoTim. One area I'm not clear about...how would one extend this to services that do need to be reachable externally? Is it as simple as port forwarding 443 to the Docker Host? And if one wanted a separate cert services that are not local, what does that config look like?