I have a Docker ACME.sh creating wildcard certificates which I am using on my network. The certificates are available in the traefik container:
$ docker exec -it traefik ls -la /etc/traefik/certs/
total 28
-rw-r--r-- 1 1032 users 1350 Jun 20 17:12 *.naschenweng.eu.cer
-rw-r--r-- 1 1032 users 964 Jun 20 17:12 *.naschenweng.eu.conf
-rw-r--r-- 1 1032 users 574 Jun 20 17:11 *.naschenweng.eu.csr
-rw-r--r-- 1 1032 users 208 Jun 20 17:11 *.naschenweng.eu.csr.conf
-rw-r--r-- 1 1032 users 288 Jun 20 17:04 *.naschenweng.eu.key
drwxr-xr-x 1 1032 users 250 Jun 20 17:12 .
drwxr-xr-x 1 root root 10 Aug 1 19:16 ..
-rw-r--r-- 1 1032 users 1567 Jun 20 17:12 ca.cer
-rw-r--r-- 1 1032 users 2917 Jun 20 17:12 fullchain.cer
In my compose I have:
version: "3.9"
networks:
macvlan_traefik:
driver: macvlan
driver_opts:
parent: bond0
ipam:
config:
- subnet: 192.168.1.0/24
gateway: 192.168.1.1
# ---------------------------------------------------------------------
# Define Common environment and logging
x-common-env: &default-env
PUID: ${PUID}
PGID: ${PGID}
TZ: ${TZ}
x-common-logging: &common-logging-restart-unless-stopped
restart: unless-stopped
logging:
driver: json-file
options:
max-file: ${DOCKERLOGGING_MAXFILE}
max-size: ${DOCKERLOGGING_MAXSIZE}
# ---------------------------------------------------------------------
services:
# Traefik.io - https://traefik.io/traefik
# <mkdir /volume2/docker/appdata/traefik>
# docker compose --profile prod up -d traefik
# URL: https://proxy.naschenweng.eu/
traefik:
profiles: ["prod"] # only runs with dev profile
container_name: traefik
image: traefik:v3.5
<<: *common-logging-restart-unless-stopped
networks:
macvlan_traefik:
ipv4_address: 192.168.1.99
aliases:
- traefik
labels:
com.centurylinklabs.watchtower.enable: true
traefik.enable: true
traefik.http.routers.dashboard.rule: Host(`proxy.naschenweng.eu`)
traefik.http.routers.dashboard.service: api@internal
traefik.http.routers.dashboard.entrypoints: websecure
traefik.http.routers.dashboard.tls: true
traefik.http.services.dashboard.loadbalancer.server.port: 8080
environment:
<<: *default-env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${DOCKERCONFDIR}/acme/*.naschenweng.eu_ecc:/etc/traefik/certs:ro
- ${DOCKERCONFDIR}/traefik/traefik.yml:/traefik.yml:ro
my traefik.yml:
################################################################
# Global configuration
################################################################
global:
checkNewVersion: true
sendAnonymousUsage: false
################################################################
# EntryPoints configuration
################################################################
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
################################################################
# API and dashboard configuration
################################################################
api:
dashboard: true
insecure: true
################################################################
# Docker configuration backend
################################################################
providers:
docker:
exposedByDefault: false
################################################################
# TLS configuration
################################################################
tls:
certificates:
- certFile: "/etc/traefik/certs/fullchain.cer"
keyFile: "/etc/traefik/certs/*.naschenweng.eu.key"
stores:
default:
defaultCertificate:
certFile: "/etc/traefik/certs/fullchain.cer"
keyFile: "/etc/traefik/certs/*.naschenweng.eu.key"
log:
level: DEBUG
In the logs I see:
2025-08-01T19:24:22+02:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"routers":{"dashboard":{"entryPoints":["websecure"],"rule":"Host(`proxy.naschenweng.eu`)","service":"api@internal","tls":{}}},"services":{"dashboard":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://192.168.1.99:8080"}],"strategy":"wrr"}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
2025-08-01T19:24:23+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:386 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
And doing a curl shows that it uses the default cert:
curl -vk "https://proxy.naschenweng.eu/" ░▒▓ ✔ at 19:11:54 ▓▒░
* Host proxy.naschenweng.eu:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.1.99
* Trying 192.168.1.99:443...
* Connected to proxy.naschenweng.eu (192.168.1.99) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Aug 1 17:24:23 2025 GMT
* expire date: Aug 1 17:24:23 2026 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://proxy.naschenweng.eu/
The logs confirm this:
2025-08-01T19:24:23+02:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for proxy.naschenweng.eu with TLS options default entryPointName=websecure
2025-08-01T19:26:57+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "proxy.naschenweng.eu"
What am I missing so that I can use my generated wildcard cert?