[GH-ISSUE #1829] Wildcard Certificates Not Being Generated Despite prefer_wildcard_cert: true #10780

New Issue

Closed

opened 2026-05-06 15:03:09 -05:00 by GiteaMirror · 13 comments

GiteaMirror commented 2026-05-06 15:03:09 -05:00

Owner

Copy Link

Originally created by @AndrewPaglusch on GitHub (Nov 8, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1829

Originally assigned to: @oschwartz10612 on GitHub.

Describe the Bug

Possibly related to #1816

When prefer_wildcard_cert: true is set in config.yaml for domains, Traefik still generates individual certificates for each subdomain instead of requesting wildcard certificates.

 domains:
   domain1:
     base_domain: foobar1.com
     cert_resolver: letsencrypt
     prefer_wildcard_cert: true
   domain2:
     base_domain: foobar2.com
     cert_resolver: letsencrypt
     prefer_wildcard_cert: true

I believe this bug was introduced in commit d938345deb on Wed Oct 8, since there seems to be some changes being made around the preferWildcardCert setting there.

Environment

• OS Type & Version: AlmaLinux 9.6
• Pangolin Version: 1.12.1 (Community)
• Gerbil Version: 1.2.2
• Traefik Version: 3.4.0
• Newt Version: 1.6.0
• Olm Version: N/A

To Reproduce

1. Configure domains in config.yaml with prefer_wildcard_cert: true:

   domains:
     domain1:
       base_domain: foobar1.com
       cert_resolver: letsencrypt
       prefer_wildcard_cert: true
     domain2:
       base_domain: foobar2.com
       cert_resolver: letsencrypt
       prefer_wildcard_cert: true
   

2. Set global preference in config.yaml:

   traefik:
     cert_resolver: letsencrypt
     prefer_wildcard_cert: true
   

3. Clear the acme.json file to force certificate regeneration:

   rm /path/to/letsencrypt/acme.json
   

4. Restart Pangolin and observe the Traefik logs and/or look at certs generated.

Expected Behavior

The Traefik dynamic configuration should include wildcard domain specifications like:

{
  "tls": {
    "certResolver": "letsencrypt",
    "domains": [
      {
        "main": "*.foobar1.com"
      }
    ]
  }
}

This would cause Traefik to request a single wildcard certificate covering all subdomains.

The Traefik dynamic configuration generates individual domain entries instead:

$ curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries | .[0] | {router: .key, tls_domains: .value.tls.domains}'
{
  "router": "605-prefix-cloud-foobar1-com-router",
  "tls_domains": [
    {
      "main": "cloud.foobar1.com"
    }
  ]
}

Every subdomain gets its own specific certificate request instead of using wildcards.

Originally created by @AndrewPaglusch on GitHub (Nov 8, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1829 Originally assigned to: @oschwartz10612 on GitHub. ### Describe the Bug Possibly related to [#1816](https://github.com/fosrl/pangolin/issues/1816) When `prefer_wildcard_cert: true` is set in `config.yaml` for domains, Traefik still generates individual certificates for each subdomain instead of requesting wildcard certificates. ```yaml domains: domain1: base_domain: foobar1.com cert_resolver: letsencrypt prefer_wildcard_cert: true domain2: base_domain: foobar2.com cert_resolver: letsencrypt prefer_wildcard_cert: true ``` I believe this bug was introduced in commit https://github.com/fosrl/pangolin/commit/d938345debe8a515a8d251cdf4bd448e75ef811e on Wed Oct 8, since there seems to be some changes being made around the `preferWildcardCert` setting there. ### Environment - OS Type & Version: AlmaLinux 9.6 - Pangolin Version: 1.12.1 (Community) - Gerbil Version: 1.2.2 - Traefik Version: 3.4.0 - Newt Version: 1.6.0 - Olm Version: N/A ### To Reproduce 1. Configure domains in `config.yaml` with `prefer_wildcard_cert: true`: ```yaml domains: domain1: base_domain: foobar1.com cert_resolver: letsencrypt prefer_wildcard_cert: true domain2: base_domain: foobar2.com cert_resolver: letsencrypt prefer_wildcard_cert: true ``` 2. Set global preference in `config.yaml`: ```yaml traefik: cert_resolver: letsencrypt prefer_wildcard_cert: true ``` 3. Clear the `acme.json` file to force certificate regeneration: ```bash rm /path/to/letsencrypt/acme.json ``` 4. Restart Pangolin and observe the Traefik logs and/or look at certs generated. ### Expected Behavior The Traefik dynamic configuration should include wildcard domain specifications like: ```json { "tls": { "certResolver": "letsencrypt", "domains": [ { "main": "*.foobar1.com" } ] } } ``` This would cause Traefik to request a single wildcard certificate covering all subdomains. The Traefik dynamic configuration generates individual domain entries instead: ```bash $ curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries | .[0] | {router: .key, tls_domains: .value.tls.domains}' { "router": "605-prefix-cloud-foobar1-com-router", "tls_domains": [ { "main": "cloud.foobar1.com" } ] } ``` Every subdomain gets its own specific certificate request instead of using wildcards.

GiteaMirror added the bug label 2026-05-06 15:03:10 -05:00

GiteaMirror closed this issue 2026-05-06 15:03:12 -05:00

GiteaMirror commented 2026-05-06 15:03:16 -05:00

Author

Owner

Copy Link

@AndrewPaglusch commented on GitHub (Nov 9, 2025):

This bug still appears to be present in the latest release 1.12.2.

[root@cloud-dmz:/opt/docker/pangolin]# docker exec -it pangolin curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries | .[0] | {router: .key, tls_domains: .value.tls.domains}'
{
  "router": "605-prefix-cloud-foobar1-com-router",
  "tls_domains": [
    {
      "main": "cloud.foobar1.com"
    }
  ]
}

I can see individual certs still being generated:

jq '.letsencrypt.Certificates[].domain' < /opt/docker/pangolin/config/letsencrypt/acme.json
{
  "main": "plex.foobar1.com"
}
{
  "main": "photos.foobar2.com"
}
{
  "main": "cloud.foobar3.net"
}
[...]

@oschwartz10612 Would you mind re-opening this issue if you can confirm it's still a problem?

<!-- gh-comment-id:3507515622 --> @AndrewPaglusch commented on GitHub (Nov 9, 2025): This bug still appears to be present in the latest release 1.12.2. ``` [root@cloud-dmz:/opt/docker/pangolin]# docker exec -it pangolin curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries | .[0] | {router: .key, tls_domains: .value.tls.domains}' { "router": "605-prefix-cloud-foobar1-com-router", "tls_domains": [ { "main": "cloud.foobar1.com" } ] } ``` I can see individual certs still being generated: ``` jq '.letsencrypt.Certificates[].domain' < /opt/docker/pangolin/config/letsencrypt/acme.json { "main": "plex.foobar1.com" } { "main": "photos.foobar2.com" } { "main": "cloud.foobar3.net" } [...] ``` @oschwartz10612 Would you mind re-opening this issue if you can confirm it's still a problem?

GiteaMirror commented 2026-05-06 15:03:19 -05:00

Author

Owner

Copy Link

@Anmol202005 commented on GitHub (Nov 10, 2025):

@AndrewPaglusch tried reproducing works good :

~ ❯ curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries[] | select(.value.tls != null) | {router: .key, tls: .value.tls}'
{
  "router": "2-api-router",
  "tls": {
    "certResolver": "letsencrypt",
    "domains": [
      {
        "main": "*.foobar1.com"
      }
    ]
  }
}
{
  "router": "3-dashboard-router",
  "tls": {
    "certResolver": "letsencrypt",
    "domains": [
      {
        "main": "*.foobar1.com"
      }
    ]
  }
}

<!-- gh-comment-id:3509689979 --> @Anmol202005 commented on GitHub (Nov 10, 2025): @AndrewPaglusch tried reproducing works good : ```bash ~ ❯ curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries[] | select(.value.tls != null) | {router: .key, tls: .value.tls}' { "router": "2-api-router", "tls": { "certResolver": "letsencrypt", "domains": [ { "main": "*.foobar1.com" } ] } } { "router": "3-dashboard-router", "tls": { "certResolver": "letsencrypt", "domains": [ { "main": "*.foobar1.com" } ] } } ```

GiteaMirror commented 2026-05-06 15:03:25 -05:00

Author

Owner

Copy Link

@AndrewPaglusch commented on GitHub (Nov 11, 2025):

@Anmol202005 Would you mind sharing your redacted config with me? I'd like to see if you're configuring wildcard domains differently than I am. Thanks!

In your redacted output above, I noticed you have two wildcard domains returned for the same (fake) domain. In your real output, are there two different wildcards being returned, each for different domains, or are they each for the same domain?

<!-- gh-comment-id:3519046132 --> @AndrewPaglusch commented on GitHub (Nov 11, 2025): @Anmol202005 Would you mind sharing your redacted config with me? I'd like to see if you're configuring wildcard domains differently than I am. Thanks! In your redacted output above, I noticed you have two wildcard domains returned for the same (fake) domain. In your _real_ output, are there two different wildcards being returned, each for different domains, or are they each for the same domain?

GiteaMirror commented 2026-05-06 15:03:28 -05:00

Author

Owner

Copy Link

@thutex commented on GitHub (Nov 22, 2025):

just chipping in that on a fresh install, i'm NOT seeing this issue, and wildcards are being correctly generated/used

<!-- gh-comment-id:3566588187 --> @thutex commented on GitHub (Nov 22, 2025): just chipping in that on a fresh install, i'm NOT seeing this issue, and wildcards are being correctly generated/used

GiteaMirror commented 2026-05-06 15:03:32 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Nov 22, 2025):

Will fix for the next release - must still be something fishy

<!-- gh-comment-id:3567083501 --> @oschwartz10612 commented on GitHub (Nov 22, 2025): Will fix for the next release - must still be something fishy

GiteaMirror commented 2026-05-06 15:03:36 -05:00

Author

Owner

Copy Link

@AndrewPaglusch commented on GitHub (Nov 25, 2025):

Is there something more I can provide that would help show the possible cause of the behavior I'm seeing?

<!-- gh-comment-id:3577285058 --> @AndrewPaglusch commented on GitHub (Nov 25, 2025): Is there something more I can provide that would help show the possible cause of the behavior I'm seeing?

GiteaMirror commented 2026-05-06 15:03:40 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Nov 26, 2025):

No thank you @AndrewPaglusch. We are just slow to get a fix out but will soon

<!-- gh-comment-id:3581790060 --> @oschwartz10612 commented on GitHub (Nov 26, 2025): No thank you @AndrewPaglusch. We are just slow to get a fix out but will soon

GiteaMirror commented 2026-05-06 15:03:43 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Dec 7, 2025):

@AndrewPaglusch I am currently not able to reproduce. Could you give it anouther shot? Maybe there is something about your situation. We can reopen if this is a issue but i will close for now.

You could check for me the following to see if prefer wildcard is in the db.

sqlite3 config/db/db.sqlite ".mode column" "select * from domains;"
domainId  baseDomain   configManaged  type      verified  failed  tries  certResolver  preferWildcardCert
--------  -----------  -------------  --------  --------  ------  -----  ------------  ------------------
domain1   example.com  1              wildcard  1         0       0                    1

this would be with the command from `sudo apt install sqlite3'

<!-- gh-comment-id:3621504937 --> @oschwartz10612 commented on GitHub (Dec 7, 2025): @AndrewPaglusch I am currently not able to reproduce. Could you give it anouther shot? Maybe there is something about your situation. We can reopen if this is a issue but i will close for now. You could check for me the following to see if prefer wildcard is in the db. ``` sqlite3 config/db/db.sqlite ".mode column" "select * from domains;" domainId baseDomain configManaged type verified failed tries certResolver preferWildcardCert -------- ----------- ------------- -------- -------- ------ ----- ------------ ------------------ domain1 example.com 1 wildcard 1 0 0 1 ``` this would be with the command from `sudo apt install sqlite3'

GiteaMirror commented 2026-05-06 15:03:48 -05:00

Author

Owner

Copy Link

@AndrewPaglusch commented on GitHub (Dec 10, 2025):

@oschwartz10612:

[root@cloud-dmz:/opt/docker/pangolin/config/db]# sqlite3 db.sqlite ".mode column" "select * from domains;"
domainId  baseDomain      configManaged  type      verified  failed  tries  certResolver  preferWildcardCert
--------  --------------  -------------  --------  --------  ------  -----  ------------  ------------------
domain1   foobar1.com     1              wildcard  1         0       0      letsencrypt   1
domain2   foobar2.com     1              wildcard  1         0       0      letsencrypt   1
domain3   foobar3.com     1              wildcard  1         0       0      letsencrypt   1

I went ahead and cleared out my acme.json cert store and started the entire Pangolin stack back up to see what certs would be generated. As it was starting, I watched as non-wildcard certs populated the acme.json. Here's what I saw before I killed the containers so I didn't spam the certificate transparency log with hosts

# clear acme.json
[root@cloud-dmz:/opt/docker/pangolin]# > config/letsencrypt/acme.json

[root@cloud-dmz:/opt/docker/pangolin]# jq '.letsencrypt.Certificates[].domain' < config/letsencrypt/acme.json
{
  "main": "foobar1.com"
}
{
  "main": "foobar2.net"
}
{
  "main": "foobar3.com"
}
{
  "main": "dmz-api.foobar1.com"
}
{
  "main": "dmz.foobar1.com"
}
{
  "main": "ai.foobar1.com"
}
{
  "main": "n8n-webhooks.foobar1.com"
}
{
  "main": "blabla.foobar1.com"
}

As you can see, host-specific certs were beginning to populate the certificate store.

My full config.yaml with consistent domain name redaction

[root@cloud-dmz:/opt/docker/pangolin]# cat config/config.yaml
app:
  dashboard_url: https://dmz.foobar1.com
  log_level: info
  save_logs: true

domains:
  domain1:
    base_domain: foobar1.com
    cert_resolver: letsencrypt
    prefer_wildcard_cert: true
  domain2:
    base_domain: foobar2.com
    cert_resolver: letsencrypt
    prefer_wildcard_cert: true
  domain3:
    base_domain: foobar3.com
    cert_resolver: letsencrypt
    prefer_wildcard_cert: true

server:
  external_port: 3000
  internal_port: 3001
  next_port: 3002
  integration_port: 3003
  internal_hostname: pangolin
  session_cookie_name: p_session_token
  resource_access_token_param: p_token
  resource_access_token_headers:
    id: P-Access-Token-Id
    token: P-Access-Token
  resource_session_request_param: p_session_request
  secret: REDACTED
  cors:
    origins:
      - https://dmz.foobar1.com
    methods:
      - GET
      - POST
      - PUT
      - DELETE
      - PATCH
    allowed_headers:
      - X-CSRF-Token
      - Content-Type
    credentials: false
  maxmind_db_path: "./config/GeoLite2-Country.mmdb"

traefik:
  cert_resolver: letsencrypt
  http_entrypoint: web
  https_entrypoint: websecure
  prefer_wildcard_cert: true

gerbil:
  start_port: 51820
  base_endpoint: dmz.foobar1.com
  use_subdomain: false
  block_size: 24
  site_block_size: 30
  subnet_group: 100.89.137.0/20

rate_limits:
  global:
    window_minutes: 1
    max_requests: 500

users:
  server_admin:
    email: andrew@foobar1.com
    password: REDACTED

email:
    smtp_host: "email-smtp.us-west-2.amazonaws.com"
    smtp_port: 587
    smtp_user: "REDACTED"
    smtp_pass: "REDACTED"
    no_reply: "dmz-no-reply@foobar1.com"

flags:
    require_email_verification: true
    disable_signup_without_invite: true
    disable_user_create_org: false
    allow_raw_resources: true
    enable_integration_api: true

[root@cloud-dmz:/opt/docker/pangolin]# cat config/traefik/traefik_config.yml
api:
  insecure: true
  dashboard: true

providers:
  http:
    endpoint: "http://pangolin:3001/api/v1/traefik-config"
    pollInterval: "5s"
  file:
    filename: "/etc/traefik/dynamic_config.yml"

experimental:
  plugins:
    badger:
      moduleName: "github.com/fosrl/badger"
      version: "v1.2.0"

log:
  level: "INFO"
  format: "common"
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true

metrics:
  prometheus:
    entryPoint: metrics
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true

certificatesResolvers:
  letsencrypt:
    acme:
      dnsChallenge:
        provider: "cloudflare"
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
      email: "andrew@foobar1.com"
      storage: "/letsencrypt/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

entryPoints:
  metrics:
    address: ":8082"
  web:
    address: ":80"
  websecure:
    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: "30m"
    http:
      tls:
        certResolver: "letsencrypt"
  tcp-2022:
    address: ":2022/tcp"
  tcp-25:
    address: ":25/tcp"
  tcp-5170:
    address: ":5170/tcp"
  tcp-5001:
    address: ":5001/tcp"
  tcp-25565:
    address: ":25565/tcp"
  udp-5170:
    address: ":5170/udp"
  udp-5001:
    address: ":5001/udp"
  udp-51821:
    address: ":51821/udp"
  udp-19132:
    address: ":19132/udp"

serversTransport:
  insecureSkipVerify: true

[root@cloud-dmz:/opt/docker/pangolin]# cat config/traefik/dynamic_config.yml
http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https

  routers:
    # HTTP to HTTPS redirect router
    main-app-router-redirect:
      rule: "Host(`dmz.foobar1.com`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`dmz.foobar1.com`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    # API router (handles /api/v1 paths)
    api-router:
      rule: "Host(`dmz.foobar1.com`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    int-api-router:
      rule: "Host(`dmz-api.foobar1.com`)"
      service: int-api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    # WebSocket router
    ws-router:
      rule: "Host(`dmz.foobar1.com`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"  # Next.js server

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server

    int-api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3003" # Integration API

<!-- gh-comment-id:3635212416 --> @AndrewPaglusch commented on GitHub (Dec 10, 2025): @oschwartz10612: ``` [root@cloud-dmz:/opt/docker/pangolin/config/db]# sqlite3 db.sqlite ".mode column" "select * from domains;" domainId baseDomain configManaged type verified failed tries certResolver preferWildcardCert -------- -------------- ------------- -------- -------- ------ ----- ------------ ------------------ domain1 foobar1.com 1 wildcard 1 0 0 letsencrypt 1 domain2 foobar2.com 1 wildcard 1 0 0 letsencrypt 1 domain3 foobar3.com 1 wildcard 1 0 0 letsencrypt 1 ``` I went ahead and cleared out my `acme.json` cert store and started the entire Pangolin stack back up to see what certs would be generated. As it was starting, I watched as non-wildcard certs populated the `acme.json`. Here's what I saw before I killed the containers so I didn't spam the certificate transparency log with hosts ``` # clear acme.json [root@cloud-dmz:/opt/docker/pangolin]# > config/letsencrypt/acme.json [root@cloud-dmz:/opt/docker/pangolin]# jq '.letsencrypt.Certificates[].domain' < config/letsencrypt/acme.json { "main": "foobar1.com" } { "main": "foobar2.net" } { "main": "foobar3.com" } { "main": "dmz-api.foobar1.com" } { "main": "dmz.foobar1.com" } { "main": "ai.foobar1.com" } { "main": "n8n-webhooks.foobar1.com" } { "main": "blabla.foobar1.com" } ``` As you can see, host-specific certs were beginning to populate the certificate store. My full `config.yaml` with consistent domain name redaction ``` [root@cloud-dmz:/opt/docker/pangolin]# cat config/config.yaml app: dashboard_url: https://dmz.foobar1.com log_level: info save_logs: true domains: domain1: base_domain: foobar1.com cert_resolver: letsencrypt prefer_wildcard_cert: true domain2: base_domain: foobar2.com cert_resolver: letsencrypt prefer_wildcard_cert: true domain3: base_domain: foobar3.com cert_resolver: letsencrypt prefer_wildcard_cert: true server: external_port: 3000 internal_port: 3001 next_port: 3002 integration_port: 3003 internal_hostname: pangolin session_cookie_name: p_session_token resource_access_token_param: p_token resource_access_token_headers: id: P-Access-Token-Id token: P-Access-Token resource_session_request_param: p_session_request secret: REDACTED cors: origins: - https://dmz.foobar1.com methods: - GET - POST - PUT - DELETE - PATCH allowed_headers: - X-CSRF-Token - Content-Type credentials: false maxmind_db_path: "./config/GeoLite2-Country.mmdb" traefik: cert_resolver: letsencrypt http_entrypoint: web https_entrypoint: websecure prefer_wildcard_cert: true gerbil: start_port: 51820 base_endpoint: dmz.foobar1.com use_subdomain: false block_size: 24 site_block_size: 30 subnet_group: 100.89.137.0/20 rate_limits: global: window_minutes: 1 max_requests: 500 users: server_admin: email: andrew@foobar1.com password: REDACTED email: smtp_host: "email-smtp.us-west-2.amazonaws.com" smtp_port: 587 smtp_user: "REDACTED" smtp_pass: "REDACTED" no_reply: "dmz-no-reply@foobar1.com" flags: require_email_verification: true disable_signup_without_invite: true disable_user_create_org: false allow_raw_resources: true enable_integration_api: true ``` ``` [root@cloud-dmz:/opt/docker/pangolin]# cat config/traefik/traefik_config.yml api: insecure: true dashboard: true providers: http: endpoint: "http://pangolin:3001/api/v1/traefik-config" pollInterval: "5s" file: filename: "/etc/traefik/dynamic_config.yml" experimental: plugins: badger: moduleName: "github.com/fosrl/badger" version: "v1.2.0" log: level: "INFO" format: "common" maxSize: 100 maxBackups: 3 maxAge: 3 compress: true metrics: prometheus: entryPoint: metrics addEntryPointsLabels: true addRoutersLabels: true addServicesLabels: true certificatesResolvers: letsencrypt: acme: dnsChallenge: provider: "cloudflare" resolvers: - "1.1.1.1:53" - "1.0.0.1:53" email: "andrew@foobar1.com" storage: "/letsencrypt/acme.json" caServer: "https://acme-v02.api.letsencrypt.org/directory" #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" entryPoints: metrics: address: ":8082" web: address: ":80" websecure: address: ":443" transport: respondingTimeouts: readTimeout: "30m" http: tls: certResolver: "letsencrypt" tcp-2022: address: ":2022/tcp" tcp-25: address: ":25/tcp" tcp-5170: address: ":5170/tcp" tcp-5001: address: ":5001/tcp" tcp-25565: address: ":25565/tcp" udp-5170: address: ":5170/udp" udp-5001: address: ":5001/udp" udp-51821: address: ":51821/udp" udp-19132: address: ":19132/udp" serversTransport: insecureSkipVerify: true ``` ``` [root@cloud-dmz:/opt/docker/pangolin]# cat config/traefik/dynamic_config.yml http: middlewares: redirect-to-https: redirectScheme: scheme: https routers: # HTTP to HTTPS redirect router main-app-router-redirect: rule: "Host(`dmz.foobar1.com`)" service: next-service entryPoints: - web middlewares: - redirect-to-https # Next.js router (handles everything except API and WebSocket paths) next-router: rule: "Host(`dmz.foobar1.com`) && !PathPrefix(`/api/v1`)" service: next-service entryPoints: - websecure tls: certResolver: letsencrypt # API router (handles /api/v1 paths) api-router: rule: "Host(`dmz.foobar1.com`) && PathPrefix(`/api/v1`)" service: api-service entryPoints: - websecure tls: certResolver: letsencrypt int-api-router: rule: "Host(`dmz-api.foobar1.com`)" service: int-api-service entryPoints: - websecure tls: certResolver: letsencrypt # WebSocket router ws-router: rule: "Host(`dmz.foobar1.com`)" service: api-service entryPoints: - websecure tls: certResolver: letsencrypt services: next-service: loadBalancer: servers: - url: "http://pangolin:3002" # Next.js server api-service: loadBalancer: servers: - url: "http://pangolin:3000" # API/WebSocket server int-api-service: loadBalancer: servers: - url: "http://pangolin:3003" # Integration API ``` <img width="1403" height="613" alt="Image" src="https://github.com/user-attachments/assets/b8e1ad6f-085a-492e-8181-0c7e2f0726c0" />

GiteaMirror commented 2026-05-06 15:03:52 -05:00

Author

Owner

Copy Link

@AndrewPaglusch commented on GitHub (Dec 16, 2025):

@oschwartz10612 Would you consider re-opening this issue now that I've provided more information and confirmed the issue is still affecting me?

<!-- gh-comment-id:3661598387 --> @AndrewPaglusch commented on GitHub (Dec 16, 2025): @oschwartz10612 Would you consider re-opening this issue now that I've provided more information and confirmed the issue is still affecting me?

GiteaMirror commented 2026-05-06 15:03:53 -05:00

Author

Owner

Copy Link

@millionmice commented on GitHub (Dec 29, 2025):

Is your dynamic_config.yml missing the domain names? (see https://docs.pangolin.net/self-host/advanced/wild-card-domains)

<!-- gh-comment-id:3696891650 --> @millionmice commented on GitHub (Dec 29, 2025): Is your dynamic_config.yml missing the domain names? (see https://docs.pangolin.net/self-host/advanced/wild-card-domains)

GiteaMirror commented 2026-05-06 15:03:54 -05:00

Author

Owner

Copy Link

@AndrewPaglusch commented on GitHub (Jan 10, 2026):

@millionmice That was it! Thank you very much 🥳

<!-- gh-comment-id:3731720872 --> @AndrewPaglusch commented on GitHub (Jan 10, 2026): @millionmice That was it! Thank you very much 🥳

GiteaMirror commented 2026-05-06 15:03:55 -05:00

Author

Owner

Copy Link

@millionmice commented on GitHub (Jan 10, 2026):

You're welcome. It is a convoluted process and the only service I've used which requires API access to issue or renew DNS-01 certs.

<!-- gh-comment-id:3731984370 --> @millionmice commented on GitHub (Jan 10, 2026): You're welcome. It is a convoluted process and the only service I've used which requires API access to issue or renew DNS-01 certs.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-48f670c3a3

dependabot/go_modules/install/minor-updates-a249525a56

rdp-ssh

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/github_actions/sigstore/cosign-installer-4.1.2

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4-s.6

1.18.4-s.5

1.18.4-s.4

1.18.4-s.3

1.18.4-s.2

1.18.4-s.1

1.18.4

1.18.4-s.0

1.18.3-s.3

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#10780