diff --git a/.env.sample b/.env.sample
index fd3f9ba..3f12a1b 100644
--- a/.env.sample
+++ b/.env.sample
@@ -8,6 +8,11 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # WARN, INFO etc.
 LOG_LEVEL=WARN
 
+## Enable dns challenge (for wildcard domains)
+##   https://doc.traefik.io/traefik/https/acme/#dnschallenge
+#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
+#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
+
 ## Enable Keycloak
 #COMPOSE_FILE="compose.yml:compose.keycloak.yml"
 #KEYCLOAK_MIDDLEWARE_ENABLED=1
diff --git a/compose.yml b/compose.yml
index 4c28d42..dca5dce 100644
--- a/compose.yml
+++ b/compose.yml
@@ -21,6 +21,14 @@ services:
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
+      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") "ovh" }}
+      - OVH_APPLICATION_KEY
+      - OVH_APPLICATION_SECRET
+      - OVH_CONSUMER_KEY
+      - OVH_ENDPOINT
+      {{ end }}
+      {{ end }}
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl
index 5c25a9c..ef0147f 100644
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@@ -66,3 +66,7 @@ certificatesResolvers:
       storage: /etc/letsencrypt/production-acme.json
       httpChallenge:
         entryPoint: web
+        {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+        dnsChallenge:
+          provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
+        {{ end }}