[GH-ISSUE #1816] State of 'Prefer Wildcard Certificate' is not persistend between restarts #10775

New Issue

Closed

opened 2026-05-06 15:02:07 -05:00 by GiteaMirror · 4 comments

GiteaMirror commented 2026-05-06 15:02:07 -05:00

Owner

Copy Link

Originally created by @ghost on GitHub (Nov 5, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1816

Originally assigned to: @oschwartz10612 on GitHub.

Describe the Bug

Set up wildcards long time ago and now see there is in UI: Domains - Domain Settings the Certificate resolver and Prefer Wildcard Certificate.

By default its state is off I think.
When set up as on (and use Save settings) it remain in this state, but only until the server reboot (or docker compose down / up -d).

Like this:

after saving preference:

after reboot:

The Certificate resolver is loaded right (Custom and the name of resolver) as the one I'm using.

Environment

• OS Type & Version: Ubuntu 24.04.3 LTS
• Pangolin Version: 1.12.1
• Gerbil Version: 1.2.2
• Traefik Version: v3.5

To Reproduce

As in description.

The router part of the dynamic_config.yml where the wildcard domain setting is:

 routers:
    api-router:
      entryPoints:
        - websecure
      middlewares:
        - security-headers
      rule: Host(`pangolin.sometestdo.main`) && PathPrefix(`/api/v1`)
      service: api-service
      tls:
        certResolver: some_provider
    main-app-router-redirect:
      entryPoints:
        - web
      middlewares:
        - redirect-to-https
      rule: Host(`pangolin.sometestdo.main`)
      service: next-service
    next-router:
      entryPoints:
        - websecure
      middlewares:
        - security-headers
      rule: Host(`pangolin.sometestdo.main`) && !PathPrefix(`/api/v1`)
      service: next-service
      tls:
        certResolver: some_provider
        domains:
          - main: "sometestdo.main"
            sans:
              ###- "*.sometestdo.main"
              - "*.app.sometestdo.main"

Side note: there is the commented, second-level, subdomain.
Migrating on to *.app.sometestdo.main from *.sometestdo.main as cannot use first-level subdomain.
Because of PTR/rDNS validation.

But afaik this make no difference, it used to be like this even before, with no commented line, on first-level subdomain.

While doing it, noticed this behavior.

Expected Behavior

I believe it should stay as user choose.

Originally created by @ghost on GitHub (Nov 5, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1816 Originally assigned to: @oschwartz10612 on GitHub. ### Describe the Bug Set up [wildcards](https://docs.pangolin.net/self-host/advanced/wild-card-domains) long time ago and now see there is in UI: Domains - Domain Settings the Certificate resolver and Prefer Wildcard Certificate. By default its state is _off_ I think. When set up as _on_ (and use Save settings) it remain in this state, but only until the server reboot (or docker compose down / up -d). Like this: after saving preference: <img width="565" height="96" alt="Image" src="https://github.com/user-attachments/assets/f8d9d735-3b69-4ba1-a240-6401da95dc9c" /> after reboot: <img width="565" height="96" alt="Image" src="https://github.com/user-attachments/assets/9da60865-52e5-4835-91f1-684fe286781d" /> The Certificate resolver is loaded right (Custom and the name of resolver) as the one I'm using. ### Environment - OS Type & Version: Ubuntu 24.04.3 LTS - Pangolin Version: 1.12.1 - Gerbil Version: 1.2.2 - Traefik Version: v3.5 ### To Reproduce As in description. The router part of the dynamic_config.yml where the wildcard domain setting is: ``` routers: api-router: entryPoints: - websecure middlewares: - security-headers rule: Host(`pangolin.sometestdo.main`) && PathPrefix(`/api/v1`) service: api-service tls: certResolver: some_provider main-app-router-redirect: entryPoints: - web middlewares: - redirect-to-https rule: Host(`pangolin.sometestdo.main`) service: next-service next-router: entryPoints: - websecure middlewares: - security-headers rule: Host(`pangolin.sometestdo.main`) && !PathPrefix(`/api/v1`) service: next-service tls: certResolver: some_provider domains: - main: "sometestdo.main" sans: ###- "*.sometestdo.main" - "*.app.sometestdo.main" ``` Side note: there is the commented, second-level, subdomain. Migrating on to _*.app.sometestdo.main_ **from** _*.sometestdo.main_ as cannot use first-level subdomain. Because of PTR/rDNS validation. But afaik this make no difference, it used to be like this even before, with no commented line, on first-level subdomain. While doing it, noticed this behavior. ### Expected Behavior I believe it should stay as user choose.

GiteaMirror added the bug label 2026-05-06 15:02:07 -05:00

GiteaMirror closed this issue 2026-05-06 15:02:08 -05:00

GiteaMirror commented 2026-05-06 15:02:10 -05:00

Author

Owner

Copy Link

@ghost commented on GitHub (Nov 5, 2025):

Also it's unclear to me:

*.sometestdo.main -- this one is displayed (altogether with second-level domain itself) in Record Name section

*.app.sometestdo.main -- but this addition is not

Is it also bug? Or just first-level wildcard does also mean any second and more level is included automatically.

So far can't change this from the dashboard and addition is necessary in the dynamic_config.yml - just it's not 1:1 with dashboard.

<!-- gh-comment-id:3490876736 --> @ghost commented on GitHub (Nov 5, 2025): Also it's unclear to me: *.sometestdo.main -- this one is displayed (altogether with _second-level_ domain itself) in Record Name section *.app.sometestdo.main -- but this addition is not Is it also bug? Or just first-level wildcard does also mean any second and more level is included automatically. So far can't change this from the dashboard and addition is necessary in the dynamic_config.yml - just it's not 1:1 with dashboard.

GiteaMirror commented 2026-05-06 15:02:10 -05:00

Author

Owner

Copy Link

@ghost commented on GitHub (Nov 6, 2025):

The prefer_wildcard_cert is never created in the config.yml

<!-- gh-comment-id:3498531203 --> @ghost commented on GitHub (Nov 6, 2025): The [prefer_wildcard_cert](https://docs.pangolin.net/self-host/advanced/config-file#param-prefer-wildcard-cert) is never created in the config.yml

GiteaMirror commented 2026-05-06 15:02:11 -05:00

Author

Owner

Copy Link

@ghost commented on GitHub (Nov 12, 2025):

Installed fresh new 1.12.2 and now there is no menu at all (still have not yet updated instance 1.12.1 - here the menu is still present).

I mean this menu:

Wildcerts are not generated despite 1.12.2 have this info in corner of the domain page:

Do not understand if this is bug or intended state.

The UI is misleading for me. Because one would expect the wild certs will be prepared for start (after set up is done in traefik_config.yml/dynamic_config.yml and API key in compose).

The Pangolin UI state (that I would expect is ruled by config/config.yml) that Wildcerts are ready, yet they are not with the DNS-01.

Or maybe the there is Docs vs UI gap.

The docs state:

Wildcard certificates allow you to secure unlimited subdomains with a single SSL certificate, eliminating the need to generate individual certificates for each subdomain.

So the description from here for wild certs is making me think that should expect to see *domain.com and *sub.domain.com certificates only instantly with the UI Pangolin default info.

Only after prefer_wildcard_cert and cert_resolver are manually added and acme.json is deleted - these certs are actually created.

<!-- gh-comment-id:3523121000 --> @ghost commented on GitHub (Nov 12, 2025): Installed fresh new 1.12.2 and now there is no menu at all (still have not yet updated instance 1.12.1 - here the menu is still present). I mean this menu: <img width="622" height="299" alt="Image" src="https://github.com/user-attachments/assets/636f0e6d-106b-4448-805c-b620cd2372c4" /> Wildcerts are not generated despite 1.12.2 have this info in corner of the domain page: <img width="183" height="105" alt="Image" src="https://github.com/user-attachments/assets/a858884a-ff2f-47c7-9657-c9e1fdcac4f5" /> Do not understand if this is bug or intended state. The UI is misleading for me. Because one would expect the wild certs will be prepared for start (after set up is done in traefik_config.yml/dynamic_config.yml and API key in compose). The Pangolin UI state (that I would expect is ruled by config/config.yml) that Wildcerts are ready, yet they are not with the DNS-01. Or maybe the there is Docs vs UI gap. The docs state: Wildcard certificates allow you to secure unlimited subdomains with a single SSL certificate, eliminating the need to generate individual certificates for each subdomain. So the description from here for wild certs is making me think that should expect to see *domain.com and *sub.domain.com certificates only instantly with the UI Pangolin default info. Only after `prefer_wildcard_cert` and `cert_resolver` are manually added and acme.json is deleted - these certs are actually created.

GiteaMirror commented 2026-05-06 15:02:12 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Nov 22, 2025):

Tracking in #1829

Installed fresh new 1.12.2 and now there is no menu at all

In 1.12.2 we removed the menu to not allow overriding the config for "config managed domains". We dont want to introduce drift from the configuration file to what is in the database so we do not allow it. This menu will show up for domains that are created from the UI.

<!-- gh-comment-id:3567084272 --> @oschwartz10612 commented on GitHub (Nov 22, 2025): Tracking in #1829 > Installed fresh new 1.12.2 and now there is no menu at all In 1.12.2 we removed the menu to not allow overriding the config for "config managed domains". We dont want to introduce drift from the configuration file to what is in the database so we do not allow it. This menu will show up for domains that are created from the UI.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-48f670c3a3

dependabot/go_modules/install/minor-updates-a249525a56

rdp-ssh

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/github_actions/sigstore/cosign-installer-4.1.2

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4-s.6

1.18.4-s.5

1.18.4-s.4

1.18.4-s.3

1.18.4-s.2

1.18.4-s.1

1.18.4

1.18.4-s.0

1.18.3-s.3

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#10775