diff --git a/smoothschedule/compose/production/traefik/traefik.yml b/smoothschedule/compose/production/traefik/traefik.yml
index 4564d19..71f96c4 100644
--- a/smoothschedule/compose/production/traefik/traefik.yml
+++ b/smoothschedule/compose/production/traefik/traefik.yml
@@ -43,6 +43,16 @@ certificatesResolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
 
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: letsencrypt-dns
+        domain:
+          main: "smoothschedule.com"
+          sans:
+            - "*.smoothschedule.com"
+
 http:
   routers:
     # Main domain and www
@@ -103,8 +113,10 @@ http:
     # Wildcard subdomain router for tenant subdomains
     # Uses DNS challenge for wildcard certificate (*.smoothschedule.com)
     # Routes to nginx which serves the frontend SPA and proxies /api/ to Django
+    # Low priority (1) ensures specific domain routers match first
     subdomain-router:
-      rule: 'HostRegexp(`[a-z0-9-]+\\.smoothschedule\\.com`)'
+      rule: 'HostRegexp(`^[a-z0-9-]+\\.smoothschedule\\.com$`)'
+      priority: 1
       entryPoints:
         - web-secure
       middlewares: