What

Uploaded custom certificates (e.g. Cloudflare Origin CA) were never presented by Traefik over SNI, even though they appeared in the Dokploy UI under Certificates.

Root cause

The per-certificate Traefik registration YAML was written into a subdirectory:

/etc/dokploy/traefik/dynamic/certificates/<certificatePath>/certificate.yml

But Traefik's file provider is configured with directory: /etc/dokploy/traefik/dynamic and watch: true. The file.directory provider is non-recursive, so it never reads files nested in subdirectories. As a result the cert YAML was never loaded into Traefik's TLS store and SNI matching never picked it up.

Fix

• Add an exported pure helper getCertificateConfigPath(dynamicTraefikPath, certificatePath) that returns the registration YAML path at the top level of the dynamic Traefik directory: <dynamicTraefikPath>/<certificatePath>-certificate.yml.
• createCertificateFiles now pulls DYNAMIC_TRAEFIK_PATH from paths() and writes the YAML to the top-level path. The PEM files (chain.crt / privkey.key) stay in the per-certificate subdirectory — the YAML references them by absolute path, so this keeps working. The subdir mkdir for PEMs is unchanged.
• removeCertificateById now also deletes the top-level YAML (rm -f for remote servers, fs.rmSync if it exists for local) in addition to removing the per-cert subdirectory.

Test

New test apps/dokploy/__test__/traefik/certificate.test.ts covers the getCertificateConfigPath contract: the path is top-level, is not under a certificates/ subdirectory, and is unique per certificatePath (expected values built with path.join to avoid Windows separator flakiness).

RED (before adding the helper): getCertificateConfigPath is not a function — 3 failed.

GREEN (after fix):

 ✓ __test__/traefik/certificate.test.ts (3 tests) 3ms
 Test Files  1 passed (1)
      Tests  3 passed (3)

Both typechecks clean: pnpm --filter=@dokploy/server run typecheck and pnpm --filter=dokploy run typecheck.

Fixes #4503

🤖 Generated with Claude Code