TLS certificates for custom domains


I have a traefik instance running as a Qovery application. It handles traffic from multiple custom domains, although it does not have valid TLS certificates.

I was told Qovery handles certificates but when I try to access the application, here’s the message I get:

Is there something I’m missing? Like, a specific traefik configuration or something?


Hi @pgiammel, do you have an infrastructure diagram of what you put in place?

Hi @rophilogene , here’s a simple diagram. Would that be enough?

Hi @pgiammel ,

May be a silly question but why do you want to add Traefik to the current stack Qovery setup? There is already an Nginx ingress managing custom TLS for you with Cert-manager. Everything is built in, available through the console to manage your wished custom dns name (and so TLS).

Also, if you’re not using the paying version of Traefik, you will certainly be limited to 1 instance of traefik (because TLS are not shared across Traefik instance), losing the high availability you have by default with Qovery.


Hi @Pierre_Mavro ,

No silly question here. As you can see in the diagram, we’ve got an Oauth middleware plugged to Traefik that lets us handle private access to the environment through Google accounts. It would be ideal if there was an easy way to replicate that without our own Traefik instance. Any suggestion?

As for the second point, that shouldn’t be an issue with our permissioned environments, but that is something we’d need to consider for production/public environment. In that case though, we don’t need the Oauth middleware.


Hi @pgiammel ,

Several years ago, I did something for Traefik 1 on Kubernetes (GitHub - MySocialApp/kubernetes-helm-chart-traefik: Kubernetes Helm Chart for Treafik HA), but I discourage you to use it (because of the maintenance cost). A few years ago, I exchanged with Traefik’s CEO regarding his position and he strongly considers the TLS sharing feature as “Enterprise” ( So if you really want this, paying is the simplest solution.

Regarding permissions for Google auth, we’re using internally at Qovery OAuth2 proxy, where it’s just the middleware, so no need to manage TLS, custom DNS etc…it’s managed by Qovery directly. You should take a look, it may answer your need.


Hi @Pierre_Mavro , thank you! I’ll have a look at that. The auth is currently the only reason we have traefik.

1 Like

Hi @Pierre_Mavro , how would I got about using the OAuth2 proxy in Qovery? Do I deploy it as an application and then put my custom domains on it?

EDIT: It doesn’t seem to support host-based routing to upstreams. That might be an issue for us. TLS seems to work fine though.

Yes, as an application. Just to be sure to understand regarding host based, as Nginx manages it upstream and Qovery allows you to set the custom DNS you want to use, is this a problem?

I forgot to reply, but a few days after my question, it started working fine with traefik without any modification on our end. I don’t know if something changed on your side, but that’s great.

1 Like