Traefik not sending self-signed certificates for subdomain localhost

Traefik Traefik v2
,
1

Hello everyone,

I can't seem to make traefik serves my own self signed certificates for subdomains. Works fine for anything.localhost but not anything.anything.localhost
I tried playing with the sniStrict option and SNIHost but it doesn't work.

What am I missing ?

networks:
  default:
    external: 
      name: traefik

services:
  reverse-proxy:
    command: --api.dashboard=true --providers.docker=true --entrypoints.https.address=:443 --providers.file.filename=/etc/traefik/dyn.yml
    image: traefik:2.1
    ports:
      - "443:443"
    volumes:
      - ./certs/localhost.crt:/localhost.crt
      - ./certs/localhost.key:/localhost.key
      - ./dyn.yml:/etc/traefik/dyn.yml
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - traefik.http.routers.traefik.entrypoints=https
      - traefik.http.routers.traefik.rule=Host(`traefik.localhost`)
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.tls=true
  whoami:
    image: containous/whoami
    labels:
      - traefik.http.routers.whoami.entrypoints=https
      - traefik.http.routers.whoami.rule=Host(`www.whoami.localhost`)
      - traefik.http.routers.whoami.tls=true

tls:
  stores:
    default: {}
    #  options:
    #    default:
    #      sniStrict: true
  certificates:                                                                                        
    - certFile: /localhost.crt                                                                         
      keyFile: /localhost.key                                                                          
      stores:                                                                                          
        - default

$ nmap -p 443 --script ssl-cert traefik.localhost                                

Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-15 11:05 CET
Nmap scan report for traefik.localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for traefik.localhost (not scanned): ::1
rDNS record for 127.0.0.1: localhost

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=localhost/organizationName##REDACTEDOUT##
| Subject Alternative Name: DNS:*.localhost
| Issuer: commonName=localhost/organizationName=##REDACTEDOUT##
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-07-29T20:48:53
| Not valid after:  2029-07-26T20:48:53
| MD5:   a5d0 ea65 3932 1c51 9f48 be9c e0e5 bbaf
|_SHA-1: 5514 8843 0185 548e a3ac 0b19 7b38 04ca 8806 2624

$ nmap -p 443 --script ssl-cert www.whoami.localhost 

Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-15 11:05 CET
Nmap scan report for www.whoami.localhost (127.0.0.1)
Host is up (0.00011s latency).
Other addresses for www.whoami.localhost (not scanned): ::1
rDNS record for 127.0.0.1: localhost

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=TRAEFIK DEFAULT CERT
| Subject Alternative Name: DNS:2dbe3b83a8de0d19335f5913c18792d7.ac40383a9ffe2c5c4474a07271b1c0d3.traefik.default
| Issuer: commonName=TRAEFIK DEFAULT CERT
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-15T10:04:59
| Not valid after:  2021-03-15T10:04:59
| MD5:   4b82 fb6b 94a1 3fb1 bb25 b0b1 49df a957
|_SHA-1: 0dc8 f999 7156 beb6 69ef 9807 ec02 2cf0 a8c7 15d1

That certificate is working fine with traefik 1.7.
Thanks for reading :).

2

Hello,

https://docs.traefik.io/v2.1/https/tls/#default-certificate

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /localhost.crt
        keyFile: /localhost.key
3

Hello again :D.

If I understand correctly that will set up a default certificate regardless of whether the client sent the TLS extension for SNI or not. How would I achieve the same result that would require SNI to be sent ? Just set the SNIStrict option to true ? So it's my configuration layout that is wrong ? If so then why is the self signed certificate being served for some domain/router but not fro subsubdomain ?