Default TLS store versus ACME certificate request

I have a question on the precedence of the various TLS options.

I have a default tls certificate defined:

       certFile: /etc/traefik/tls/
       keyFile: /etc/traefik/tls/

This works fine and as expected for my various routers.

Now I have defined a router that I want to have a cert issued from via acme. I have a definition in traefik.yml as below:


And in my router definition I have:

      service: mytest
      rule: Host(``)
      priority: 10
        certResolver: dev

When I go to the url I get the certificate from the default store, rather than one being requested through the 'dev' ACME cert resolve.

This leads me to think that when we have a defaultCertificate set we cannot over-ride this with a specific certResolver. If I comment out the default cert store - I see the ACME call being made, so the config looks good. I wondered if it is possible to set some priority or ordering on this?

Has anyone come across this before or can suggest a way to work around it. Ideally I would like to keep the default cert in place and just have a few routers that are making an ACME call.


The default cert usually is backup if other certs don’t match. I would expect that LE creates certs for Host() if the domain does not match any existing cert. That’s not the case?

Hi there and thanks for the reply. Rather stupidly I realise I have left out an important detail regarding the default cert - it is a wildcard cert. So I think it is matching on the default cert first, which is the wildcard and never geting to the ACME issued cert.

But what I would like to try and achieve (for business reasons) is to keep the default wildcard cert in place and have the ACME one used when the domain matches the HOST block in that router.

You could try to define the TLS main directly on the router (doc).