Reverse proxy with wildcard cert to all my internal services

I am using Cloudflare to manage my DNS for my domain and have a wildcard cert * created via Letsencrypt and auto renewed via certbot on my Pihole server. I manually copy the certs to all my other services like,, and, and the SSL is working fine. I want to automate the cert renewal for all services but I prefer not creating A records in Cloudflare for each subdomain name as none of the services are exposed externally right now.

I want to use Traefik as reverse proxy to my services with wildcard Letsencrypt cert but I am not sure what to do after installing Traefik. I have Traefik up on one of my Raspberry Pi's by following the docs and able to reached the dashboard via port 80. All my other services are on different servers not on Docker. Can someone refer me to a tutorial/example of what I need to do next to forward all traffic to my internal services?

I use traefik in my homelab with Cloudflare DNS, and instead of wildcard cert, I'm getting traefik to manage certs to each subdomains I use. This completely bypasses the problem of distributing the wildcard cert to all instances. I also did not create any A record on cloudflare for the homelab sub domains, since I'm not using them externally, I do have the A records on homelab's DNS server of course. This set up has been working fairly well for me.

All my other services are on different servers not on Docker.

You need to use the File Provider for configuration discovery then. Both Routers and services section give examples for the File Provider.

I do not have a tutorial for you but if you have any questions with regards to the documentation or usage of traefik, please come back and ask.

How do you generate a cert for a subdomain if you don’t create an A record on Cloudflare?