Github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "sub1.domain1.com"

Traefik Traefik v3 (latest)
1

Hello,
Not sure what I am doing wrong. Can not get traefik to use the correct ssl cert, keeps using the default certificate. All my certs are wildcard from third parties.

version: "3.8"

services:
  traefik:
    image: traefik:v3.3.5
    container_name: traefik
    restart: unless-stopped
    ports:
      # Bind public HTTP and HTTPS to IP 10.0.0.8
      - "10.0.0.8:80:80"
      - "10.0.0.8:443:443"
      # Bind the Traefik dashboard/API to IP 10.10.0.8 on port 8080
      - "10.10.0.8:8080:8080"
    volumes:
      - "/opt/traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
      - "/opt/traefik/dynamic_conf.yml:/etc/traefik/dynamic_conf.yml:ro"
      - "/opt/traefik/certs:/certs:ro"
      - "/opt/traefik/logs:/var/log/traefik"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

# /opt/traefik/traefik.yml
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
  traefik:
    address: ":8080"  # For the dashboard and API

tls:
  options:
    default:
      # Require at least TLS 1.2 (set to VersionTLS12)
      minVersion: VersionTLS12
      # List modern cipher suites; adjust this list as needed.
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      # Optionally ensure SNI strict mode is applied
      sniStrict: true

  certificates:
    - certFile: "/certs/_.domain1.com/domain1-fullchain.crt"
      keyFile:  "/certs/_.domain1.com/domain1.com.key"
    - certFile: "/certs/domain2-cloud/cloudflare_origin.crt"
      keyFile:  "/certs/domain2-cloud/cloudflare_origin.key"

 # Configure the default certificate for the TLS store.
  # This certificate is used as the fallback when SNI does not match any certificate.
  stores:
    default:
      defaultCertificate:
        certFile: "/certs/_.domain1.com/domain1-fullchain.crt"
        keyFile:  "/certs/_.domain1.com/domain1.com.key"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "/etc/traefik/dynamic_conf.yml"
    watch: true

api:
  dashboard: true
  insecure: true  # Do not enable insecure access

log:
  level: DEBUG
  filePath: "/var/log/traefik/traefik.log"

dynamic_conf.yml
http:
  routers:
    sub1-router:
      rule: "Host(`sub1.domain1.com`)"
      entryPoints:
        - websecure
      service: sub1-service
      tls:
        domains:
          - main: "*.domain1.com"
            sans:
              - sub1.domain1.com

  services:
    sub1-service:
      loadBalancer:
        servers:
          - url: "http://10.0.0.11"```
2

You need to create tls in a dynamic config file (doc), load it in static config with providers.file.

Then simply enable TLS on entrypointor router (.tls=true or tls:{}).