Traefik still serving default cert

hi. I have hosted adguard server behind traefik proxy.
when i have tried to use DOH on chrome i was getting Please verify that this is a valid provider or try again later.

later i have realised traefik serving default cert over 853

kdig -d @mydomain.tld +tls-ca +tls-host=mydomain.tld example.com

;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(mydomain.tld), port(853), protocol(TCP)
;; DEBUG: TLS, imported 137 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=TRAEFIK DEFAULT CERT
;; DEBUG:      SHA-256 PIN: Lhw7SUI7h6skkjhdfaskjHDSUysdhsojdkdhdmnf7y+lyg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server mydomain.tld@853(TCP)

i am already having wildcard certificate from letsencrypt and its working fine over browser.

openssl s_client -showcerts -connect mydomain.tld:853

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mydomain.tld
verify return:1

i couldn't understand the issue here . why kdig reporting i am having treafik default cert and openssl reports i have valid cert. and chrome secure dns also reports i dont have valid certs.

i have tried overriding tls default cert with pem file still it doesnt works for me. It would be better if someone could help me out here.

I just solved a similar problem. I'm using linuxserver/swag
and blocky instead of traefik, and a wildcard cert from letsencrypt, but the error I got was the same.

To fix this, I told blocky to use fullchain.pem instead of cert.pem - hope this helps.