To Reproduce
ose a different template
Add a title
*
Title
Before opening a new issue, please do a search of existing issues.
If you need help with your own project, you can start a discussion in the Q&A Section.
To Reproduce
*
A detailed, step-by-step description of how to reproduce the issue is required. Please ensure your report includes clear instructions using numbered lists.
If possible, provide a link to a repository or project where the issue can be reproduced.
Markdown Editor
Markdown input: edit mode selected.
Write
Preview
- Create a application
- Click X
- Y will happen
Make sure to:
- Use numbered lists to outline steps clearly.
- Include all relevant commands and configurations.
- Provide a link to a reproducible repository if applicable.
Current vs. Expected behavior
A clear and concise description of what the bug is, and what you expected to happen.
Markdown Editor
Markdown input: edit mode selected.
Write
Preview
Following the steps from the previous section, I expected A to happen, but I observed B instead
Provide environment information
*
Please provide the following information about your environment.
Operating System:
OS: Ubuntu 20.04
Arch: arm64
Dokploy version: 0.2.2'
VPS Provider: DigitalOcean, Hetzner, Linode, etc.
What applications/services are you tying to deploy?
eg - Database, Nextjs App, laravel, etc.
Which area(s) are affected? (Select all that apply)
*
Are you deploying the applications where Dokploy is installed or on a remote server?
*
Additional context
Any extra information that might help us investigate.
Markdown Editor
Markdown input: edit mode selected.
Write
Preview
I tested on a DigitalOcean VPS with Ubuntu 20.04 and Docker version 20.10.12.
Will you send a PR to fix it?
*
Let us know if you are planning to submit a pull request to address this issue.
Metadata
Assignees
No one assigned
Labels
needs-triage🔍
Type
No type
Projects
No projects
Milestone
No milestone
Please follow this repository's contributing guidelines and security policy.
make me proeprly
a prope msg what we try what happen what what posiblity we try
and everything lhelp me a bit and make a big msg explanation everytihng
os already you know from perious msg
Here's a complete draft for the new issue, ready to paste into each field:
Title:
Custom certificate not applied via SNI fallback (certificateType: none) for Compose domains — Error 526 persists even with a valid matching cert in the Certificates store
To Reproduce:
Deploy a Docker Compose application with multiple services (in our case: 3 Next.js apps + 1 Express API), each assigned its own subdomain under the same root domain via the Domains tab.
Generate a Cloudflare Origin CA certificate covering the exact subdomains in use, copy the certificate and private key.
Go to the dedicated Certificates section in the sidebar → Create Certificate → paste Name / Certificate Data / Private Key → Save. Confirm via SSH that /etc/dokploy/traefik/dynamic/certificates//certificate.yml, chain.crt, and privkey.key are written correctly to disk.
On each service's domain, set Certificate type to none, toggle HTTPS ON. Confirm DNS shows "Behind Cloudflare" (proxied and resolving correctly) for all domains.
Redeploy the Compose application.
Set the Cloudflare zone's SSL/TLS mode to Full (Strict).
Visit any of the domains through Cloudflare → get Error 526 "Invalid SSL Certificate."
Bypass Cloudflare entirely and query the origin server directly with the correct SNI to see what Traefik is actually serving:
nmap --script ssl-cert -p 443
Result: commonName=TRAEFIK DEFAULT CERT — confirms Traefik is not using the uploaded certificate for this domain at all, despite the cert files being present and correctly loaded by the file provider.
Inspect /etc/dokploy/traefik/dynamic/ — only dokploy.yml (dashboard router), middlewares.yml, acme.json, and the certificates/ folder exist. No per-app router/TLS dynamic file exists anywhere, confirming Compose domain routing is generated entirely as Docker labels on the service containers (via Traefik's docker provider) rather than dynamic files — so there's no way to audit the actual applied router/TLS config from the filesystem.
docker inspect --format '{{json .Config.Labels}}' confirms traefik.http.routers..tls=true is present (matching the certificateType === "none" code path), but no certificate ends up being matched via SNI regardless.
Current vs. Expected behavior
Current vs. Expected behavior:
Current: Setting a domain's Certificate type to none — the only documented path for applying a manually-uploaded certificate from the Certificates section to a Compose service's domain — results in Traefik continuing to serve its own self-signed TRAEFIK DEFAULT CERT for that hostname, even though: (a) the uploaded certificate's CN/SAN list exactly matches the domain, (b) the certificate files are confirmed present and well-formed on disk under dynamic/certificates//, and (c) the tls=true label is confirmed present on the container via docker inspect. This results in Cloudflare Full (Strict) rejecting the origin with Error 526, since no valid cert is ever actually presented. The only working fallback is switching Cloudflare to Flexible mode, which removes encryption on the Cloudflare↔origin hop entirely.
Expected: With Certificate type none and a matching certificate present in the Certificates section, Traefik should perform SNI-based matching against its loaded certificate store and present the uploaded certificate during the TLS handshake for that hostname, as described in the docs and by maintainers in the related issue below.
Provide environment information
Environment:
OS: Ubuntu 24.04.3 LTS
Arch: x86_64
Dokploy version: 0.29.8
VPS Provider: Hostinger
Applications: Docker Compose stack — Express/Node.js API, 3x Next.js apps (admin, portal, storefront), PostgreSQL
Which area(s) affected: Docker Compose
Deploying on: Same server where Dokploy is installed
Which area(s) are affected? (Select all that apply)
Traefik, Docker Compose
Are you deploying the applications where Dokploy is installed or on a remote server?
Same server where Dokploy is installed
Additional context
Additional context:
This is a follow-up to [#], which reported the missing certificate-selector UI in the domain form. PR #4705 addresses that UI gap (adding a way to select a registered certificate), but the testing above shows a second, separate bug underneath it: even using the currently-available none fallback path — which per createDomainLabels() in packages/server/src/utils/docker/domain.ts is supposed to trigger SNI-based matching — the certificate is never actually matched or served by Traefik.
This blocks Cloudflare Full (Strict) mode entirely for Compose services. The only way to get HTTPS working end-to-end right now is Flexible mode, which leaves the Cloudflare↔origin hop unencrypted — a real security gap, not just a UX papercut.
Happy to dig further into the Traefik docker-provider label generation and SNI cert-store matching logic and send a PR once the root cause is confirmed.
Will you send a PR to fix it? Yes
Will you send a PR to fix it?
Yes
To Reproduce
ose a different template
Add a title
*
Title
Before opening a new issue, please do a search of existing issues.
If you need help with your own project, you can start a discussion in the Q&A Section.
To Reproduce
*
A detailed, step-by-step description of how to reproduce the issue is required. Please ensure your report includes clear instructions using numbered lists.
If possible, provide a link to a repository or project where the issue can be reproduced.
Markdown Editor
Markdown input: edit mode selected.
Write
Preview
Make sure to:
Current vs. Expected behavior
A clear and concise description of what the bug is, and what you expected to happen.
Markdown Editor
Markdown input: edit mode selected.
Write
Preview
Following the steps from the previous section, I expected A to happen, but I observed B instead
Provide environment information
*
Please provide the following information about your environment.
Operating System:
OS: Ubuntu 20.04
Arch: arm64
Dokploy version: 0.2.2'
VPS Provider: DigitalOcean, Hetzner, Linode, etc.
What applications/services are you tying to deploy?
eg - Database, Nextjs App, laravel, etc.
Which area(s) are affected? (Select all that apply)
*
Are you deploying the applications where Dokploy is installed or on a remote server?
*
Additional context
Any extra information that might help us investigate.
Markdown Editor
Markdown input: edit mode selected.
Write
Preview
I tested on a DigitalOcean VPS with Ubuntu 20.04 and Docker version 20.10.12.
Will you send a PR to fix it?
*
Let us know if you are planning to submit a pull request to address this issue.
Metadata
Assignees
No one assigned
Labels
needs-triage🔍
Type
No type
Projects
No projects
Milestone
No milestone
Please follow this repository's contributing guidelines and security policy.
make me proeprly
a prope msg what we try what happen what what posiblity we try
and everything lhelp me a bit and make a big msg explanation everytihng
os already you know from perious msg
Here's a complete draft for the new issue, ready to paste into each field:
Title:
Custom certificate not applied via SNI fallback (certificateType: none) for Compose domains — Error 526 persists even with a valid matching cert in the Certificates store
To Reproduce:
Deploy a Docker Compose application with multiple services (in our case: 3 Next.js apps + 1 Express API), each assigned its own subdomain under the same root domain via the Domains tab.
Generate a Cloudflare Origin CA certificate covering the exact subdomains in use, copy the certificate and private key.
Go to the dedicated Certificates section in the sidebar → Create Certificate → paste Name / Certificate Data / Private Key → Save. Confirm via SSH that /etc/dokploy/traefik/dynamic/certificates//certificate.yml, chain.crt, and privkey.key are written correctly to disk.
On each service's domain, set Certificate type to none, toggle HTTPS ON. Confirm DNS shows "Behind Cloudflare" (proxied and resolving correctly) for all domains.
Redeploy the Compose application.
Set the Cloudflare zone's SSL/TLS mode to Full (Strict).
Visit any of the domains through Cloudflare → get Error 526 "Invalid SSL Certificate."
Bypass Cloudflare entirely and query the origin server directly with the correct SNI to see what Traefik is actually serving:
nmap --script ssl-cert -p 443
Result: commonName=TRAEFIK DEFAULT CERT — confirms Traefik is not using the uploaded certificate for this domain at all, despite the cert files being present and correctly loaded by the file provider.
Inspect /etc/dokploy/traefik/dynamic/ — only dokploy.yml (dashboard router), middlewares.yml, acme.json, and the certificates/ folder exist. No per-app router/TLS dynamic file exists anywhere, confirming Compose domain routing is generated entirely as Docker labels on the service containers (via Traefik's docker provider) rather than dynamic files — so there's no way to audit the actual applied router/TLS config from the filesystem.
docker inspect --format '{{json .Config.Labels}}' confirms traefik.http.routers..tls=true is present (matching the certificateType === "none" code path), but no certificate ends up being matched via SNI regardless.
Current vs. Expected behavior
Current vs. Expected behavior:
Current: Setting a domain's Certificate type to none — the only documented path for applying a manually-uploaded certificate from the Certificates section to a Compose service's domain — results in Traefik continuing to serve its own self-signed TRAEFIK DEFAULT CERT for that hostname, even though: (a) the uploaded certificate's CN/SAN list exactly matches the domain, (b) the certificate files are confirmed present and well-formed on disk under dynamic/certificates//, and (c) the tls=true label is confirmed present on the container via docker inspect. This results in Cloudflare Full (Strict) rejecting the origin with Error 526, since no valid cert is ever actually presented. The only working fallback is switching Cloudflare to Flexible mode, which removes encryption on the Cloudflare↔origin hop entirely.
Expected: With Certificate type none and a matching certificate present in the Certificates section, Traefik should perform SNI-based matching against its loaded certificate store and present the uploaded certificate during the TLS handshake for that hostname, as described in the docs and by maintainers in the related issue below.
Provide environment information
Which area(s) are affected? (Select all that apply)
Traefik, Docker Compose
Are you deploying the applications where Dokploy is installed or on a remote server?
Same server where Dokploy is installed
Additional context
Additional context:
This is a follow-up to [#], which reported the missing certificate-selector UI in the domain form. PR #4705 addresses that UI gap (adding a way to select a registered certificate), but the testing above shows a second, separate bug underneath it: even using the currently-available none fallback path — which per createDomainLabels() in packages/server/src/utils/docker/domain.ts is supposed to trigger SNI-based matching — the certificate is never actually matched or served by Traefik.
This blocks Cloudflare Full (Strict) mode entirely for Compose services. The only way to get HTTPS working end-to-end right now is Flexible mode, which leaves the Cloudflare↔origin hop unencrypted — a real security gap, not just a UX papercut.
Happy to dig further into the Traefik docker-provider label generation and SNI cert-store matching logic and send a PR once the root cause is confirmed.
Will you send a PR to fix it? Yes
Will you send a PR to fix it?
Yes