Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges

This is my setup using docker-compose to start Traefik, supporting all major encryption providers. I recommend to create the /opt/traefikdirectory and save the following file as /opt/traefik/docker-compose.yml. This config has the fileand docker providers enabled by default.

services:
  traefik:
    image: "traefik:v3.2"
    network_mode: "host" 
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/etc/traefik/conf"
      - "--providers.file.watch=true"
      - "--entrypoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.websecure.http3"
      - "--entryPoints.websecure.http3.advertisedport=443"
      - "--log.level=info"
      - "--serversTransport.insecureSkipVerify=true"
#
      - "--certificatesresolvers.cloudflare-ec384.acme.dnschallenge=true"
      - "--certificatesresolvers.cloudflare-ec384.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.cloudflare-ec384.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
      - "--certificatesresolvers.cloudflare-ec384.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.cloudflare-ec384.acme.email=letsencrypt@mydomain.com"
      - "--certificatesresolvers.cloudflare-ec384.acme.KeyType=EC384"
      - "--certificatesresolvers.cloudflare-ec384.acme.storage=/letsencrypt/acme.json"
#
      - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
      - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.cloudflare.acme.email=letsencrypt@mydomain.com"
      - "--certificatesresolvers.cloudflare.acme.KeyType=EC256"
      - "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
#
      - "--certificatesresolvers.cloudflare-staging.acme.dnschallenge=true"
      - "--certificatesresolvers.cloudflare-staging.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.cloudflare-staging.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
      - "--certificatesresolvers.cloudflare-staging.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.cloudflare-staging.acme.email=letsencrypt@mydomain.com"
      - "--certificatesresolvers.cloudflare-staging.acme.KeyType=EC256"
      - "--certificatesresolvers.cloudflare-staging.acme.storage=/letsencrypt/acme.json"
#
      - "--certificatesresolvers.alpn-ec384.acme.tlsChallenge=true"
      - "--certificatesresolvers.alpn-ec384.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.alpn-ec384.acme.email=letsencrypt@mydomain.com"
      - "--certificatesresolvers.alpn-ec384.acme.KeyType=EC384"
      - "--certificatesresolvers.alpn-ec384.acme.storage=/letsencrypt/acme.json"
#
      - "--certificatesresolvers.alpn.acme.tlsChallenge=true"
      - "--certificatesresolvers.alpn.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "[email protected]"
      - "--certificatesresolvers.alpn.acme.KeyType=EC256"
      - "--certificatesresolvers.alpn.acme.storage=/letsencrypt/acme.json"
#
      - "--certificatesresolvers.alpn-staging.acme.tlsChallenge=true"
      - "--certificatesresolvers.alpn-staging.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.alpn-staging.acme.email=letsencrypt@mydomain.com"
      - "--certificatesresolvers.alpn-staging.acme.KeyType=EC256"
      - "--certificatesresolvers.alpn-staging.acme.storage=/letsencrypt/acme.json"
    environment:
      - [email protected]
      - CLOUDFLARE_API_KEY=XYZABC123
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./conf:/etc/traefik/conf:ro"

Replace [email protected] by the Email address to register certificates to. Also ensure to change

- [email protected]
- CLOUDFLARE_API_KEY=XYZABC123

Optionally, create a Pilot token and set it (don’t forget to un-comment the line) using

# - "--pilot.token=PILOT_TOKEN_HERE"

Now let’s make the service autostart on boot (and start it right now) using the method detailed in docker-compose systemd .service generator: Run the following in /opt/traefik

curl -fsSL https://techoverflow.net/scripts/create-docker-compose-service.sh | sudo bash /dev/stdin

We will detail how to get access to the Traefik API in followup posts.