Unable to serve default wildcard certificates

I have a Docker ACME.sh creating wildcard certificates which I am using on my network. The certificates are available in the traefik container:

$ docker exec -it traefik ls -la /etc/traefik/certs/
total 28
-rw-r--r--    1 1032     users         1350 Jun 20 17:12 *.naschenweng.eu.cer
-rw-r--r--    1 1032     users          964 Jun 20 17:12 *.naschenweng.eu.conf
-rw-r--r--    1 1032     users          574 Jun 20 17:11 *.naschenweng.eu.csr
-rw-r--r--    1 1032     users          208 Jun 20 17:11 *.naschenweng.eu.csr.conf
-rw-r--r--    1 1032     users          288 Jun 20 17:04 *.naschenweng.eu.key
drwxr-xr-x    1 1032     users          250 Jun 20 17:12 .
drwxr-xr-x    1 root     root            10 Aug  1 19:16 ..
-rw-r--r--    1 1032     users         1567 Jun 20 17:12 ca.cer
-rw-r--r--    1 1032     users         2917 Jun 20 17:12 fullchain.cer

In my compose I have:

version: "3.9"

networks:
  macvlan_traefik:
    driver: macvlan
    driver_opts:
      parent: bond0
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1


# ---------------------------------------------------------------------
# Define Common environment and logging
x-common-env: &default-env
  PUID: ${PUID}
  PGID: ${PGID}
  TZ: ${TZ}

x-common-logging: &common-logging-restart-unless-stopped
  restart: unless-stopped
  logging:
    driver: json-file
    options:
      max-file: ${DOCKERLOGGING_MAXFILE}
      max-size: ${DOCKERLOGGING_MAXSIZE}
# ---------------------------------------------------------------------

services:
# Traefik.io - https://traefik.io/traefik
# <mkdir /volume2/docker/appdata/traefik>
# docker compose --profile prod up -d traefik 
# URL: https://proxy.naschenweng.eu/
  traefik:
    profiles: ["prod"] # only runs with dev profile
    container_name: traefik
    image: traefik:v3.5
    <<: *common-logging-restart-unless-stopped
    networks:
      macvlan_traefik:
        ipv4_address: 192.168.1.99
        aliases:
          - traefik
    labels:
      com.centurylinklabs.watchtower.enable: true
      traefik.enable: true
      traefik.http.routers.dashboard.rule: Host(`proxy.naschenweng.eu`)
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.entrypoints: websecure
      traefik.http.routers.dashboard.tls: true
      traefik.http.services.dashboard.loadbalancer.server.port: 8080
    environment:
      <<: *default-env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${DOCKERCONFDIR}/acme/*.naschenweng.eu_ecc:/etc/traefik/certs:ro
      - ${DOCKERCONFDIR}/traefik/traefik.yml:/traefik.yml:ro

my traefik.yml:

################################################################
# Global configuration
################################################################
global:
  checkNewVersion: true
  sendAnonymousUsage: false

################################################################
# EntryPoints configuration
################################################################
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

################################################################
# API and dashboard configuration
################################################################
api:
  dashboard: true
  insecure: true

################################################################
# Docker configuration backend
################################################################
providers:
  docker:
    exposedByDefault: false

################################################################
# TLS configuration
################################################################  
tls:
  certificates:
    - certFile: "/etc/traefik/certs/fullchain.cer"
      keyFile: "/etc/traefik/certs/*.naschenweng.eu.key"
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/traefik/certs/fullchain.cer"
        keyFile: "/etc/traefik/certs/*.naschenweng.eu.key"

log:
  level: DEBUG

In the logs I see:

2025-08-01T19:24:22+02:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"routers":{"dashboard":{"entryPoints":["websecure"],"rule":"Host(`proxy.naschenweng.eu`)","service":"api@internal","tls":{}}},"services":{"dashboard":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://192.168.1.99:8080"}],"strategy":"wrr"}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
2025-08-01T19:24:23+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:386 > No default certificate, fallback to the internal generated certificate tlsStoreName=default

And doing a curl shows that it uses the default cert:

curl -vk "https://proxy.naschenweng.eu/"                                                                                                                            ░▒▓ ✔  at 19:11:54  ▓▒░
* Host proxy.naschenweng.eu:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.1.99
*   Trying 192.168.1.99:443...
* Connected to proxy.naschenweng.eu (192.168.1.99) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Aug  1 17:24:23 2025 GMT
*  expire date: Aug  1 17:24:23 2026 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://proxy.naschenweng.eu/

The logs confirm this:

2025-08-01T19:24:23+02:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for proxy.naschenweng.eu with TLS options default entryPointName=websecure
2025-08-01T19:26:57+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "proxy.naschenweng.eu"

What am I missing so that I can use my generated wildcard cert?

Traefik root TLS section is dynamic config, so it needs to be placed in a separate dynamic config file and loaded via providers.file from static config.

I am not sure if using * in the filename and references is a good idea.

Thank you, the “*” is fine, for anyone else running into this issue, here are the working configs:

traefik.yml

################################################################
# Global configuration
################################################################
global:
  checkNewVersion: true
  sendAnonymousUsage: false

################################################################
# EntryPoints configuration
################################################################
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

################################################################
# API and dashboard configuration
################################################################
api:
  dashboard: true
  insecure: false

################################################################
# Providers
################################################################
providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik/dynamic
    watch: true

log:
  level: DEBUG

/etc/traefik/dynamic/tls.yml

################################################################
# TLS configuration
################################################################  
tls:
  certificates:
    - certFile: "/etc/traefik/certs/fullchain.cer"
      keyFile: "/etc/traefik/certs/*.naschenweng.eu.key"
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/traefik/certs/fullchain.cer"
        keyFile: "/etc/traefik/certs/*.naschenweng.eu.key"

docker-compose.yml

version: "3.9"

networks:
  macvlan_traefik:
    driver: macvlan
    driver_opts:
      parent: bond0
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1

# ---------------------------------------------------------------------
# Define Common environment and logging
x-common-env: &default-env
  PUID: ${PUID}
  PGID: ${PGID}
  TZ: ${TZ}

x-common-logging: &common-logging-restart-unless-stopped
  restart: unless-stopped
  logging:
    driver: json-file
    options:
      max-file: ${DOCKERLOGGING_MAXFILE}
      max-size: ${DOCKERLOGGING_MAXSIZE}
# ---------------------------------------------------------------------

services:
# Traefik.io - https://traefik.io/traefik
# <mkdir /volume2/docker/appdata/traefik>
# docker compose --profile prod up -d traefik 
# URL: https://proxy.naschenweng.eu/
  traefik:
    profiles: ["prod"] # only runs with dev profile
    container_name: traefik
    image: traefik:v3.5
    <<: *common-logging-restart-unless-stopped
    networks:
      macvlan_traefik:
        ipv4_address: 192.168.1.99
        aliases:
          - traefik
    labels:
      com.centurylinklabs.watchtower.enable: true
      traefik.enable: true
      traefik.http.routers.dashboard.rule: Host(`proxy.naschenweng.eu`)
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.entrypoints: websecure
      traefik.http.routers.dashboard.tls: true
      traefik.http.services.dashboard.loadbalancer.server.port: 8080
    environment:
      <<: *default-env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${DOCKERCONFDIR}/acme/*.naschenweng.eu_ecc:/etc/traefik/certs:ro
      - ${DOCKERCONFDIR}/traefik/dynamic:/etc/traefik/dynamic:ro
      - ${DOCKERCONFDIR}/traefik/traefik.yml:/traefik.yml:ro