For wildcard LetsEncrypt TLS certs, you need to use dnsChallenge and specify main/sans (doc):

tls:
  certResolver: myresolver
  domains:
    - main: "example.com"
      sans:
        - "*.example.org"

I recommend to set TLS globally on entrypoint (example).

Traefik and LetsEncrypt will recognize that the Host() domains are included in the wildcard and will not create separate certs.