Use different certresolvers depending on the domain

I've looked through the documentation and dozens of posts, but didn't really find an answer. I need to use multiple certresolvers for different domains. I'd like to find a way for traefik to default to the correct certificate depending on the domain, as hands-off as possible.

I'd love to set multiple certresolvers per entrypoint, however that does not seem to be possible. Is there an easy way to tell traefik to use certresolver x for a defined domain?

There is the option to set a default certificate in the dynamic config, when no other is specified, however, I can only do that for one domain/resolver. The only other solution it seems would be to specify - "traefik.http.routers.routername.tls.certresolver=resolvername"in docker, however, I would have to specify that manually for every router / service, right?

If you want to use different resolvers, you need to specify the matching one on every router. It will then use .rule=Host() || Host() to create the certs.

If you want to use custom paid certs and one LE certresolver, than you can still assign the certresolver to the entrypoint. Traefik will only use LE when it hasn't found a matching cert from the loaded ones from file.

Thanks for your reply! Do I need to specify the domains in the

- main: ""
        - "*"

format at all anywhere in the config, e.g. in order to get wildcard certs? Or is it enough if I just specify each individual subdomain in docker-compose as .rule=Host(``), and traefik then requests the certificate only for the subdomain?

Edit: I assume if I use another tool like, in order to request the certificates, and then save them for use for traefik, that should work too, right

Traefik has LetsEncrypt included. You can just use Host() and it works out of the box with httpChallenge or tlsChallenge. For wildcards you need more complicated dnsChallenge and main/sans.

Note that LetsEncrypt has a limit of 50 new (sub-)domains (or wildcards) per week, so that kind of indicates when you should start using wildcards, with less you can go the easy way.

Of course you can use a different tool to create the certs, then just load them in a dynamic config file (doc), which needs to be loaded with providers.file in static config. Note you need to restart Traefik or touch the config file itself to reload when you change them. (Hacky example with cerbot and providers.http).

1 Like

Thanks for the quick replies! I will look into what's possible :wink:

Just to be clear, where exactly would I add main/sans for additional resolvers? Static config, dynamic config or as labels in docker compose? I guess I'd have to add it to the routers, in the dynamic config or docker... right?