Custom ssl cert vs let's encrypt

I have an app that customers can deploy on docker. However, the SSL certs may or may not be the custsomer's own, or auto generated using LE

I was trying to be smart and come up with a "one config to rulle them all"

      - traefik.http.routers.${STACK}-app.rule=Host(`${STACK}.${DOMAIN}`)
      - traefik.http.routers.${STACK}-app.entrypoints=websecure
      - traefik.http.routers.${STACK}-app.tls.passthrough=${USE_CUSTOM_CERTIFICATES:-false}
      - traefik.http.routers.${STACK}-app.tls.certresolver=${USE_CUSTOM_CERTIFICATES:-leresolver}

So the idea is if the USE_CUSTOM_CERTIFICATES is not set for traefik and LE to do their thing, and if it is set, for passthrough

however, for sites where the USE_CUSTOM_CERTIFICATES is not set, I'm getting a " msg=field not found, node: passthrough providerName=docker "

what would the labels be for a service that uses it's own certificates, and for a service that defaults to let's encrypt - but on the same machine ?

how do I pass through if I'm getting that error

confused ;_

If Traefik doesn't have access to the TLS cert, then Host() or HostSNI() does not work, only HostSNI(`*`), so you can can only have a single service on that port.

so I can't have more than 1 apache container (with the certificates residing on the apache container filesystem ) , because I can;t route based on Host() ?

I thought Host() got the hostname from the request, not the certificate

Host() gets the hostname from http, HostSNI() gets the hostname from TLS request.

For both Traefik needs to be able to decrypt the request, so Traefik needs to load the TLS cert file(s).