Traefik requesting certs from letsencrypt for invalid (unconfigured) sub domains?

I configure numerous standalone docker containers to answer at subdomains using docker labels with the following format:

    labels:
      - "traefik.docker.network=mynet"
      - "traefik.enable=true"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.rule=Host:${INSTANCE_NAME}.validdomain.tld"
      - "traefik.protocol=https"
      - "traefik.port=8443"

This has worked for years. This morning trying to spin up an instance failed with some obscure HTTPS message SSL_ERROR_INTERNAL_ERROR_ALERT.

Upon investigating further I found numerous strange entries in the acme.toml file. I removed the key and certs and replaces the domain information with validsub.validdomain.tld :

    {
      "Domain": {
        "Main": "dev.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },
    {
      "Domain": {
        "Main": "old.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },
    {
      "Domain": {
        "Main": "shop.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },
    {
      "Domain": {
        "Main": "test.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },
    {
      "Domain": {
        "Main": "demo.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },
    {
      "Domain": {
        "Main": "magento.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },
    {
      "Domain": {
        "Main": "staging.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },
    {
      "Domain": {
        "Main": "store.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },
    {
      "Domain": {
        "Main": "www.demo.validsub.validdomain.tld",
        "SANs": null
      },
      "Certificate": "",
      "Key": ""
    },

It looks to me, like a networks scanner was looking for some sort of system to exploit. It found none, but these unwanted domain certificates have AFAICT taken up my contingent on letsencrypt certificates meaning I cannot spin up new instances. Can it be that traefik is pulling certs for subdomains before checking if they are even being served by this proxy?

Can I configure something to avoid this from happening?