Traefik docker(compose), multiple host in label. Let is serve different ssl certs

I have a dev setup that for my needs right now. I only want serve multiple self signed ssl cert. I added a ca to my keychain(macOS), and use that ca to sign my own cert for every test domain. I'm using docker-compose with traefik as proxy manager and alemp stack for wordpress development. I can now generate wildcards certs for {domain}.test and www.{domain}.test. But i have some multisites thats using more than 1 domain. It's working on http on the same lemp stack but cant figure it out how to use multiple cert on traefik My configs:

-- lemp stack (php and other services not included)

 version: '3.7'
    services:
      nginx:
        image: nginx:latest
        container_name: ${APP_NAME}-nginx
        volumes:
          - "./nginx/:/etc/nginx/templates/"
          - ./src:/var/www/html:rw,cached
        environment:
          - "NGINX_ENVSUBST_TEMPLATE_SUFFIX=.conf"
        depends_on:
          - app
        networks:
          - default
          - traefik
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.${APP_NAME}.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`) || Host(`${DOMAIN2}`) || Host(`www.${DOMAIN2}`)"
          - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
          - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=80"
          - "traefik.docker.network=traefik_proxy"
        restart: always

-- My traefik proxy

version: '3.7'

services:
  reverse-proxy:
    container_name: traefik
    # The official v2.0 Traefik docker image
    image: traefik:v2.4
    # Enables the web UI and tells Traefik to listen to docker
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --providers.file.directory=/etc/traefik/dynamic
    ports:
      # The HTTP port
      - "192.168.255.1:80:80"
      - "192.168.255.1:443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "192.168.255.1:8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      - ./traefik/dynamic/dynamic.yaml:/etc/traefik/dynamic/dyn.yaml
      - ./traefik/certs:/etc/traefik/certs:ro


networks:
  default:
    name: traefik_proxy
    external: false

If the certificate are in the certificate store than it should work.

This does not look like a proper rule though.
Host(`www.${DOMAIN}`)${DOMAIN_ADDITIONAL}

that was a typo, my bad. My config is little bit generated bij a script and needed to edit it for this post.
But it seems to be working right now with this config

  certificates:
    - certFile: "/etc/traefik/certs/cert.crt"
      keyFile: "/etc/traefik/certs/key.key"
    - certFile: "/etc/traefik/certs/domain1.test.crt"
      keyFile: "/etc/traefik/certs/domain1.test.key"
    - certFile: "/etc/traefik/certs/domain2.test.crt"
      keyFile: "/etc/traefik/certs/domain2.test.key"
      stores:
        - default
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/traefik/certs/cert.crt"
        keyFile: "/etc/traefik/certs/key.key"

i have 2 questions still. Is there a way to add these entry with a script or specifie the certfile in a docker label, or even better can traefik watch a folder. Like all certs in /certs/
And an other question, not traefik but but more chrome. I added the CA in my keychain(macOS). When i open the site on safari there are no problems. But on chrome a get the "not secure" badge next to my url.
is there a way to solve this?

Only the file provider can be used to define them. As this is the case you can copy the certificates in and then updated the configuration file(as long as the file/directory is watched).

In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores). However, in Kubernetes, the certificates can and must be provided by secrets.

You may have to add the CA the browser. I often forget which browsers use the system's CA store and which use their own.
chrome://settings/certificates