I just caught this issue in action with debug logs. I have compared with my friend and they look identical. I don't know if this is an issue with wildcard config at this point.
Below is me refreshing the page at which firefox was showing an invalid certificate a few times. I then click "continue anyway" and once I get through and apparently hit a couple 499s the cert is fine...
I find it suspicious that it is searching for a cert for www.---.com... but idk
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:20:58Z" level=debug msg="Serving default certificate for request: \"www.---.com\""
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:20:58Z" level=debug msg="http: TLS handshake error from ---:35430: remote error: tls: bad certificate"
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:07Z" level=debug msg="Serving default certificate for request: \"www.----.com\""
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:07Z" level=debug msg="http: TLS handshake error from ----:35431: remote error: tls: bad certificate"
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:08Z" level=debug msg="Serving default certificate for request: \"www.----.com\""
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:08Z" level=debug msg="http: TLS handshake error from ----:35432: remote error: tls: bad certificate"
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:10Z" level=debug msg="Filtering disabled container" providerName=docker container=db-postgres-3c6aqk9yczfq5as274jwh78ft
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:10Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"http-catchall\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"wwwtohttps\"],\"service\":\"traefik\",\"rule\":\"HostRegexp(`{host:(www\\\\.)?.+}`)\"},\"svelte\":{\"entryPoints\":[\"websecure\"],\"service\":\"svelte\",\"rule\":\"Host(`---.com`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"svelte-staging\":{\"entryPoints\":[\"websecure\"],\"service\":\"svelte-staging\",\"rule\":\"Host(`staging.---.com`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"wwwsecure-catchall\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"wwwtohttps\"],\"service\":\"traefik\",\"rule\":\"HostRegexp(`{host:(www\\\\.).+}`)\",\"tls\":{}}},\"services\":{\"svelte\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.222:3000\"}],\"passHostHeader\":true}},\"svelte-staging\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.221:3000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.226:8080\"}],\"passHostHeader\":true}}},\"middlewares\":{\"wwwtohttps\":{\"redirectRegex\":{\"regex\":\"^https?://(?:www\\\\.)?(.+)\",\"replacement\":\"https://${1}\",\"permanent\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:10Z" level=debug msg="Skipping unchanged configuration." providerName=docker
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:16Z" level=debug msg="Serving default certificate for request: \"www.---.com\""
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:17Z" level=debug msg="'499 Client Closed Request' caused by: context canceled"
proxy_traefik.1.zxqi6dgirhza@cn-eu-central-2 | time="2023-07-11T16:21:17Z" level=debug msg="'499 Client Closed Request' caused by: context canceled"