As is currently implemented, the automatic certificate generation is based on routes. This poses the following problems:
- Different domains are included on a single certificate.
- Additional certificates are generated if a domain is added to a route later.
- The same domain will have different certificates if part of multiple routes.
The above seems highly inefficient with respect to the number of certificates Traefik would have to maintain and not well thought out for a multitenant app that a client would see other client's domains in their certificates.
In our case, we have different routes for the different services which all of our clients use. So one route may have www.client1.com and www.client2.com and another route may have www2.client1.com and www2.client2.com. This would result in each certificate referencing multiple clients/domains.
Instead, it would be nice to specify a global certificate resolver that has the main = domain.com and sans = *.domain.com. Then, a single certificate is issued for that domain regardless of how many routes the domain shows up in. So if you have three routes: 1: www.client1.com, www.client2.com, 2: www2.client1.com, www2.client2.com, 3: www3.client1.com, www3.client2.com, only 2 certificates would be generated, one for client1.com/*.client1.com and client2.com/*.client2.com
This also futureproofs it when the same domain is added to another route. It will just use the already issued certificate.
Any chance at this getting implemented?