Why can't we specify a global certificate resolver PER domain?

As is currently implemented, the automatic certificate generation is based on routes. This poses the following problems:

  1. Different domains are included on a single certificate.
  2. Additional certificates are generated if a domain is added to a route later.
  3. The same domain will have different certificates if part of multiple routes.

The above seems highly inefficient with respect to the number of certificates Traefik would have to maintain and not well thought out for a multitenant app that a client would see other client's domains in their certificates.

In our case, we have different routes for the different services which all of our clients use. So one route may have www.client1.com and www.client2.com and another route may have www2.client1.com and www2.client2.com. This would result in each certificate referencing multiple clients/domains.

Instead, it would be nice to specify a global certificate resolver that has the main = domain.com and sans = *.domain.com. Then, a single certificate is issued for that domain regardless of how many routes the domain shows up in. So if you have three routes: 1: www.client1.com, www.client2.com, 2: www2.client1.com, www2.client2.com, 3: www3.client1.com, www3.client2.com, only 2 certificates would be generated, one for client1.com/*.client1.com and client2.com/*.client2.com

This also futureproofs it when the same domain is added to another route. It will just use the already issued certificate.

Any chance at this getting implemented?


It's possible by using the HTTP Options of the entry point, but it's not dynamic as the dynamic configuration (routers configuration) because it's a part of the static configuration.

It would need to be Dynamic, otherwise it completely defeats the purpose of Traefik which is to allow dynamically adding routes at runtime without a restart. Seems to me this would benefit a lot of users of Traefik. Any possible way this see's it's way in a future update?