Not all SAN's are included in the certificate

I'm setting up reverse proxy in my home (my home lab). I have everything running with traefik proxying calls to all services. I have the SSL certs working correctly. My domain provider/registrar is Cloudflare. Traefik is running on the alpine docker image on proxmox. Below is the labels section from my docker.yaml file:
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(dashboard.nerdonthefairway.com)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(dashboard.nerdonthefairway.com)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=nerdonthefairway.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=.nerdonthefairway.com"
- "traefik.http.routers.trarfik-secure.tls.domains[0].sans=.home.nerdonthefairway.com"
- "traefik.http.routers.traefik-secure.service=api@internal"

My intention here is to have a SSL certificate with nerdonthefairway.com as root, and the *.nerdonthefairway.com and *.home.nerdonthefairway.com as sans on the cert. However the cert that is generated doesn't have *.home.nerdonthefairway.com as a san, only *.nerdonthefairway.com is included in the cert as a san.

Any idea what I may be doing wrong? I also have this in my static yml:
api:
dashboard: true
debug: true
insecure: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
asDefault: true
http:
tls:
certresolver: "cloudflare"
domains:
- main: "nerdonthefairway.com"
sans:
- ".nerdonthefairway.com"
- ".home.nerdonthefairway.com"

Thank you for your help.

Use 3 backticks before and after code/config, to make it more readable.

Check Traefik debug log (doc) for related messages.

Make sure you have created home.nerdonthefairway.com in Cloudflare.

Thanks for the response. I'm trying to keep home.nerdonthefairway.com internal to my home, and nerdonthefairway.com as external. So, when I'm on my home network, I can use service.home.nerdonthefairway.com, and when I'm outside the home, I can use service.nerdonthefairway.com. Is there a way I can do this without creating the home.nerdonthefairway.com in Cloudflare?

You can assign a private IP to a public sub-domain.

From what I have seen on the forum I think Cloudflare as DNS provider needs to know about a sub-domain for deeper wildcards. Not sure if there is an option to create it without an IP.