Traefik Wildcard Certs (file-provider)

This how-to covers using the wildcard Certbot DNS-01 certificate for home.xn--wersdrfer-47a.de via Traefik’s file-provider, and avoiding per-host ACME certs.

Router TLS behavior

• Service templates emit tls: {} when no cert resolver is set, so routers stay on TLS and use the file-provider wildcard cert.

• If you set *_traefik_cert_resolver, the templates will render certResolver: <name> instead.

Certificates

• Wildcard path: /etc/letsencrypt/live/home.xn--wersdrfer-47a.de/{fullchain.pem, privkey.pem}.

• File-provider config: /etc/traefik/dynamic/certificates.yml points to the wildcard cert/key.

Backup/Restore

• Traefik ACME backup/restore is optional and defaults to off:

  • traefik_backup_include_acme: false

  • traefik_restore_include_acme: false

• Certbot DNS backup/restore is the source of truth for the wildcard (/etc/letsencrypt).

• To restore per-host ACME, set the include flags to true and re-enable certResolver in the service templates.

Ordering / Runbook hints

• On fresh installs/restores: restore/issue the wildcard via Certbot before (re)starting Traefik.

• After certs and dynamic configs are present, restart Traefik once to load the wildcard cert.

• If a host starts serving a per-host cert again, check acme.json for stale entries and scrub them (or keep the include flags false and redeploy).