SSL certs from LetsEncrypt (from another nginx container)?

I have a domain wildcard cert that is generated from another docker container running over on my NAS ( The LetsEncrypt cert/key files are .pem. Can I safely replace …/brewblox/traefik/brewblox[.crt | .key] with the externally-generaged LE cert?

Thinking I’d also have to schedule a script to copy the cert over to the brewblox rpi when it’s updated and restart traefik…

Is this practical?

Yes, you can provide your own key files. You probably need to convert your .pem file. Traefik (v2) cert config is defined in brewblox/traefik/traefik-cert.yaml (docs).

You can safely update after overwriting key/cert/config files: they are only overwritten during brewblox-ctl setup / makecert, not during update.

@Bob_Steers Did not need to convert the certs, just rename them.

[admin@nas ~] scp /share/docker/mediasvcs/swag/config/etc/letsencrypt/live/ \

[admin@nas ~] scp /share/docker/mediasvcs/swag/config/etc/letsencrypt/live/ \

[admin@nas ~] ssh chmod 600 /home/pi/brewblox/traefik/brewblox.*
1 Like

Is there a way to configure traefik to redirect all traffic to https and do so in a way that is persistent?

Extend the traefik service in docker-compose.yml. Copy the command section from the service in docker-compose.shared.yml, and add

It returns a HTTP 301 response, so your browser will be pretty persistent about it.

We disabled automatic redirects a while back because iOS couldn’t handle self-signed certs for websockets.

cool. thanks. will give it a go tomorrow.
Have a LetsEncrypt cert deployed. Will test to confirm the UX on IOS.


If I understand correctly, just copy the traefik: service header and the command: section with the additional parameter? Not the whole traefik: service block, correct?


    command: --name=spark-one
    image: brewblox/brewblox-devcon-spark:${BREWBLOX_RELEASE}
    privileged: true
    restart: unless-stopped
    image: j616s/brewblox-tilt:latest
    network_mode: host
    privileged: true
    restart: unless-stopped
    - ./tilt:/share
    command: >-
      --providers.docker.constraints="LabelRegex(`com.docker.compose.project`, `${COMPOSE_PROJECT_NAME}`)"
      --providers.docker.defaultrule="PathPrefix(`/{{ index .Labels \"com.docker.compose.service\" }}`)"
version: '3.7'

Correct. Config from the two compose files is merged.

Seems to be working just fine on IOS 14.4 with the http2https redirection in-place and a LetsEncrypt SSL certificate deployed. No UI functional issues found with any graphs or editors (fermentation setup only).

1 Like