Let's Encrypt Wildcard but Dashboard using domain specific ssl cert?

I'm trying to migrate from Nginx-Proxy-Manager over to Traefik due to it's excellent reputation and support for authentication middleware, but after going through 4 blog posts, multiple git's (suggesting 1.7 and 2.2 files) I cannot get my dashboard to use a Let's Encrypt wildcard SSL.

My traefik.toml looks like

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

    [entryPoints.websecure.http.tls]
      certResolver = "lets-encrypt"
      [[entryPoints.websecure.http.tls.domains]]
        main = "example.com"
        sans = "*.example.com"
[api]
  dashboard = true

[certificatesResolvers.lets-encrypt.acme]
  email = "admin@example.com"
  storage = "acme.json"
  [certificatesResolvers.lets-encrypt.acme.dnsChallenge]
    provider = "route53"

[providers.file]
  filename = "traefik_dynamic.toml"

and traefik_dynamic.toml

[http.middlewares.simpleAuth.basicAuth]
  users = [
    "admin:$apr1$.BfaFTQ3$f.EhQdVTczf3n247b0wCQ/"
  ]

[http.routers.api]
  rule = "Host(`monitor.lab.example.com`)"
  entrypoints = ["websecure"]
  middlewares = ["simpleAuth"]
  service = "api@internal"
  [http.routers.api.tls]
    certResolver = "lets-encrypt"

Upon accessing it, I can see it using a cert for monitor.lab.example.com instead of *.lab.example.com and can confirm in the acme.json too that it's not generating a wildcard one.

I must be clearly missing something here.

I think Traefik just uses the Host to generate a certificate for the service.

Check the Traefik debug logs for what’s happening, it could still create a wildcard cert.

I was under the impression we could define it for all hosts in one shot, but defining it per host like below does resolve it and indeed creates only one cert for multiple hosts. Thanks.