I use a .dev and it just works with letsencrypt. I don’t do anything special with wildcards, I just let traefik request a cert for every subdomain I use and it works. I believe letsencrypt must ignore HSTS for validation because I use the tls challenge which works on port 443, so I don’t think port 80 is required, but I still forwarded it so I can serve an http->https redirect since stuff like curl and probably other tools might not know about HSTS.