Traefik serving default certificate instead of my specified one

Traefik Traefik v3 (latest)
1

Running Traefik in docker swarm, I have the following yaml

version: '3.8'

services:

traefik:

image: traefik:v3.2

hostname: '{{.Node.Hostname}}'

ports:

  \# listen on host ports without ingress network

  - target: 80

    published: 80

    protocol: tcp

    mode: host

  - target: 443

    published: 443

    protocol: tcp

    mode: host

networks:

  - proxy

volumes:

  - /var/run/docker.sock:/var/run/docker.sock:ro

  - "/etc/certs:/etc/certs:ro"

  #- "/etc/certs/homenet.lan.crt:/etc/certs/homenet.lan.crt:ro"

  #- "/etc/certs/homenet.lan.key:/etc/certs/homenet.lan.key:ro"

  - "./config/tls.yml:/etc/traefik/tls.yml:ro"

  - /var/log/traefik:/var/log/traefik:rw

command:

  - --api.dashboard=true

  - --log.level=TRACE

  - --log.maxSize=1

  - --log.maxBackups=2

  - --log.maxAge=3

  - --log.compress=true

  - --log.filepath=/var/log/traefik/traefik.log

  - --accesslog=true

  - --providers.file.filename=/etc/traefik/tls.yml

  - --accesslog.filepath=/var/log/traefik/traefik-access.log

  - --accesslog.format=common

  - --providers.swarm.exposedByDefault=false

  - --providers.swarm.network=proxy

  - --entrypoints.web.address=:80

  - --entrypoints.web.http.redirections.entrypoint.to=websecure

  - --entryPoints.web.http.redirections.entrypoint.scheme=https

  - --entrypoints.websecure.address=:443

  - --entrypoints.websecure.asDefault=true

  #- --entrypoints.websecure.http.tls.domains\[0\].main=homenet.lan

  #- --entrypoints.websecure.http.tls.domains\[0\].sans=\*.homenet.lan

  #- --entrypoints.websecure.http.tls.certresolver=myresolver

  #- --certificatesresolvers.myresolver.acme.email=mail@example.com

  #- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json

  #- --certificatesresolvers.myresolver.acme.tlschallenge=true

deploy:

  mode: global

  placement:

    constraints:

      - node.role==manager

  labels:

    - traefik.enable=true

    - traefik.http.routers.mydashboard.rule=Host(\`proxy.homenet.lan\`)

    - traefik.http.routers.mydashboard.entrypoints=websecure

    - traefik.http.routers.mydashboard.tls=true

    - traefik.http.routers.mydashboard.service=api@internal

    #- traefik.http.routers.mydashboard.middlewares=myauth

    - traefik.http.services.mydashboard.loadbalancer.server.port=1337

    #- traefik.http.middlewares.myauth.basicauth.users=admin:$$apr1$$kXrZuhzF$$w3a0K/Uyq38KlhW/bEw6y0

networks:

proxy:

name: proxy

external: true

driver: overlay

attachable: true

and my tls yml file is as follows: ( i even tried a version where sniStrict: false)

tls:

options:

default:

  sniStrict: true

stores:

default:

  defaultCertificate:

    certFile: /etc/certs/services/homenet.lan.crt

    keyFile: /etc/certs/services/homenet.lan.key

certificates:

\# Additional certificates for other domains

- certFile: /etc/certs/services/mydomain.io.crt

  keyFile: /etc/certs/services/mydomain.io.key

  stores:

    - default

when i try to connect with mydomain.io i am getting the default ssl instead of mydomain ssl.

here is the log when starting the traefik

2025-07-31T23:06:28Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) *.mydomain.io,cloudflare origin certificate,mydomain.io
2025-07-31T23:06:28Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) *.homenet.lan

2

Are you running Traefik on multiple nodes? Do all instances have access to the config and TLS files?

Enable and check Traefik debug log (doc), are routers created? Any "acme" or "err" in logs? Enable and check Traefik access log in JSON format (doc), what’s the output during requests?