How do i generate separete certeficates ondemand on diff subdomains

i cannot get wildcard cert, i dont have access to main domain
i want traefic to generate let's encrypt cert every time new subdomain name is used, without usage of pre-defined list of domains

i use these in static config

        email = "example"
        storage = "example"
        entryPoint = "websecure"
        onDemand = true
            main = ""
            sans = ["*"]

These in my docker-compose

- traefik.http.routers.example-ui-https.rule=HostRegexp(``,`{subhost:[a-zA-Z0-9-]+}`)
    - traefik.http.routers.example-ui-https.tls.certResolver=lets-encrypt

in the traefik logs i see an error:

{"ACME CA":"","error":"unable to generate a wildcard certificate in ACME provider for domain \",*\" : ACME needs a DNSChallenge","level":"error","msg":"Unable to obtain ACME certificate for domains \",*\"","providerName":"lets-encrypt.acme","routerName":"example-ui-https@docker","rule":"HostRegexp(``,`{subhost:[a-zA-Z0-9-]+}`)","time":"2023-01-27T14:19:21+03:00"}

So, how do i change it from making wildcard to generating individual one's?

Traefik LetsEncrypt will automatically get a certificate for every .rule=Host() domain.

Simple docker-compose.yml example:

version: '3.9'

    image: traefik:v2.9
      - published: 80
        target: 80
        protocol: tcp
        mode: host
      - published: 443
        target: 443
        protocol: tcp
        mode: host
      - proxy
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/traefik-certificates:/traefik-certificates
      - entryPoints.websecure.http.tls.certResolver=myresolver
      - traefik.enable=true
      - traefik.http.routers.mydashboard.entrypoints=websecure
      - traefik.http.routers.mydashboard.rule=Host(``)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/

    image: traefik/whoami:v1.8
      - proxy
      - traefik.enable=true
      - traefik.http.routers.mywhoami.entrypoints=websecure
      - traefik.http.routers.mywhoami.rule=Host(``) || Host(``)

    name: proxy

This will automatically generate two certificates:

  2. and


  1. create a certresolver (without any domains)
  2. assign certresolver to entrypoint or to router directly (without any TLS domain)
  3. use .rule=Host( ) (with backticks, not shown here)

my issue is that it tries to make wildcard domains in many different situations where i don't want it to.
For example here:

also, i would like to have a service on a domain specified by regexp with domain generation on demand
Like, i accept all connections on *
and generate cert when i get connection on

For a LetsEncrypt wildcard cert, you need to use DNSChallenge with your DNS provider.

If you have a defined set of sub-domains, then you can use Host() with the other challenges.

i have this setup and it tries to make wildcard cert as shown on the my previous message

Can you please read the docs and/or check the forum for a working example.

A wildcard can only be a subdomain and it only works with DNSChallenge, you have TLSChallenge in your config.

Yes, I have red the docs, and understand that.

The issue is that I want to make traefik just generate every certificate separately instead of it trying to make a wildcard one and failing.

You can easily do that. Use one or multiple Host() for every router rule. Remove all the main and sans.