Different certificate for a non proxied subdomain (cloudflare with full strict SSL option)

Let's start with my current setup.

My docker-compose file:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    networks:
      - proxy
    dns: 1.1.1.1
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_DNS_API_TOKEN=TOKEN
      - CF_ZONE_API_TOKEN=TOKEN
    volumes:
      - /home/user/traefik/data/certs/:/etc/certs
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/user/traefik/data/rules:/rules
      - /home/user/traefik/data/acme.json:/acme.json
      - /home/user/traefik/data/traefik.yml:/traefik.yml:ro
      - /home/user/traefik/data/config.yml:/config.yml:ro
      - traefik-logs:/var/log/traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.domain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:password."
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.domain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.domain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.domain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true
volumes:
    traefik-certs:
        external: true
    traefik-logs:

traefik.yml:

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
  teamspeak:
    address: ":9987/udp"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
    watch: true

log:
  level: "DEBUG"
  filepath: "/var/log/traefik/traefik.log"
accessLog:
  filepath: "/var/log/traefik/access.log"

certificatesResolvers:
  cloudflare:
    acme:
      email: mail@mail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        disablePropagationCheck: true # I know its deprecated
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
        delayBeforeCheck: 90

config.yml (a little bit cleaned up but with the relevant stuff):

tls:
  certificates:
    - certFile: "/etc/certs/domain.pem"
      keyFile: "/etc/certs/domain.key"
    - certFile: "/etc/certs/plex.fullchain.pem"
      keyFile: "/etc/certs/plex.privkey.pem"

tcp:
  routers:
    teamspeak-query-router:
      entryPoints:
        - "https"
      rule: "HostSNI(`tsquery.domain.com`)"
      service: "teamspeak-query-service"
      tls:
        certResolver: cloudflare
        domains:
          - main: "tsquery.domain.com"

    teamspeak-ft-router:
      entryPoints:
        - "https"
      rule: "HostSNI(`tsfiles.domain.com`)"
      service: "teamspeak-ft-service"
      tls:
        certResolver: cloudflare
        domains:
          - main: "tsfiles.domain.com"

  services:
    teamspeak-query-service:
      loadBalancer:
        servers:
          - address: "teamspeak:10011"

    teamspeak-ft-service:
      loadBalancer:
        servers:
          - address: "teamspeak:30033"

udp:
  routers:
    teamspeak-voice-router:
      entryPoints:
        - "teamspeak"
      service: "teamspeak-voice-service"

  services:
    teamspeak-voice-service:
      loadBalancer:
        servers:
          - address: "teamspeak:9987"

http:
 #region routers 
  routers:
    pihole:
      entryPoints:
        - "https"
      rule: "Host(`pihole.local.domain.com`)"
      middlewares:
        - authelia
        - forward-auth-headers
        - default-headers
      tls: {}
      service: pihole  
    plex:
      entryPoints:
        - "https"
      rule: "Host(`plex.domain.com`)"
      tls:    
        domains:
          - main: "plex.domain.com"
      middlewares:
        - forward-auth-headers
        - default-headers
      service: plex
    plex-local:
      entryPoints:
        - "https"
      rule: "Host(`plex.local.domain.com`)"
      tls: {}
      middlewares:
        - forward-auth-headers
        - default-headers
      service: plex
#endregion
#region services
  services:
    pihole:
      loadBalancer:
        servers:
          - url: "http://192.168.1.129:8081"
        passHostHeader: true
    plex:
      loadBalancer:
        servers:
          - url: "http://192.168.1.129:32400"
        passHostHeader: true
#endregion
  middlewares:
    addprefix-pihole:
      addPrefix:
        prefix: "/admin"      
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    redirectregex-pihole:
      redirectRegex:
        regex: "/admin/(.*)"
        replacement: /
    authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://auth.domain.com"
    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https
    forward-auth-headers:
      headers:
        customRequestHeaders:
          X-Forwarded-For: "{clientIP}"
          X-Forwarded-Proto: "https"
          X-Real-IP: "{clientIP}"

    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"

    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers

So, currently my *.local.domain.com get a certificate from let's encrypt, my domain.com and *.domain.com instead use the Origin CA Certificate. Plex right now, instead, is manual.
What I mean by that? I mean this:

0 0 1 */3 * certbot renew -q && cd /home/user/traefik && docker compose down && cp /etc/letsencrypt/live/plex.domain.com/privkey.pem /home/user/traefik/data/certs/plex.privkey.pem && cp /etc/letsencrypt/live/plex.domain.com/fullchain.pem /home/user/traefik/data/certs/plex.fullchain.pem && docker compose up -d >/dev/null 2>&1

Now, I wanted to do a similar thing, for teamspeak TCP ports, but without using this "manual" method. I was wondering if there is a way inside Traefik itself because, right now, for those subdomains Traefik assumes the certificate exists, the Origin CA one but, it's obviously an invalid one.

Let’s start with certbot. No need to restart Traefik. Just watch the dynamic config file, touch it after file copy, and Traefik will reload dynamic config without interruption.

I don’t understand what you want to achieve. You don’t want to use Cloudflare and not certbot? The regular tlsChallenge will create and renew LetsEncrypt certs (doc).

Good point about the restart thing.
Regarding tlsChallenge, that's the problem, it does not challenge, it says that it found already the certificate for the subdomain, but the certificate it finds is the Origin CA certificate, which is not ok to use for a non proxied website on Cloudflare.