Ah! That makes perfect sense. And, no, that is not functionality that OpenZiti provides. Thank you for that explanation, it's interesting and useful to understand how/why people are doing what they are doing.
Again, if this were me, what I'd like to see is for the OpenZiti controller (and router) to implement the ACME v2 protocol so that it could satisfy the challenge responses from LetsEncrypt (or others). I actually filed an issue to track that here; Support ACME v2 · Issue #722 · openziti/ziti · GitHub
If everything is on the same local machine, and if OpenZiti was satisfying the ACME v2 challenge you'd be able to remove Traefik entirely (well, assuming this is "all" you're using it for). I would then utilize the cert obtained for OpenZiti on those other services as well. That way you wouldn't need a proxy (OpenZiti or Traefik in this case) terminating your TLS, it would go all the way into the application itself for a slightly more secure connection (as there's no PITM).
Not that you probably care, but you could do that with your controller if you want so that your ZAC and your OpenZiti controller API are presenting certificates from a known authority and not the self-signed ones. We have some doc on that https://docs.openziti.io/docs/guides/alt-server-certs/ and if you're interested in zrok (you have checked out zrok, right) you could self host your own zrok which MIGHT do for you exactly what Traefik is ... 
So I think you should try that out!
Check out this discourse post for that video/commands/information Zrok Controller certificate error when using public CAs on openziti controller - #5 by TheLumberjack I think you might like it!
Cheers