github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-30 10:36:12 -05:00
Code Issues 960 Packages Projects Releases 74 Wiki Activity

[GH-ISSUE #356] Traefik returns wrong certificate for resource on base domain of a domain with a wildcard #1411

New Issue
Closed
opened 2026-04-16 08:03:38 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-16 08:03:38 -05:00
Owner
Copy Link

Originally created by @whitestrake on GitHub (Mar 18, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/356

Originally assigned to: @miloschwartz on GitHub.

I have multiple domains configured in config.yml with prefer_wildcard_cert = true.

When I configure a resource to be accessible on a Base Domain and browse to the resource:

  • Traefik INFO logging produces Serving default certificate for request: "example.com"
  • My reverse proxy ERROR logging produces: tls: failed to verify certificate: x509: certificate is valid for d3259985ff8eac269f203e3f153d5dfd.a27506fe422f898b674a2d53ace62341.traefik.default, not example.com

I'd expect instead that it acquires and returns a valid certificate for example.com itself, instead of one that I assume is a self-signed fallback.

It seems like Traefik isn't being configured correctly for these Base Domain resources. When I check the output of http://pangolin:3001/api/v1/traefik-config I see a tls.domains.main field equal to the wildcard rather than the actual base domain itself, which seems appropriate for a subdomain resource but not a Base Domain resource - could that be an issue here?

      "4-router": {
        "entryPoints": [
          "websecure"
        ],
        "middlewares": [
          "badger"
        ],
        "service": "4-service",
        "rule": "Host(`example.com`)",
        "tls": {
          "certResolver": "letsencrypt",
          "domains": [
            {
              "main": "*.example.com"
            }
          ]
        }
      },
Originally created by @whitestrake on GitHub (Mar 18, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/356 Originally assigned to: @miloschwartz on GitHub. I have multiple domains configured in `config.yml` with `prefer_wildcard_cert = true`. When I configure a resource to be accessible on a Base Domain and browse to the resource: - Traefik INFO logging produces `Serving default certificate for request: "example.com"` - My reverse proxy ERROR logging produces: `tls: failed to verify certificate: x509: certificate is valid for d3259985ff8eac269f203e3f153d5dfd.a27506fe422f898b674a2d53ace62341.traefik.default, not example.com` I'd expect instead that it acquires and returns a valid certificate for `example.com` itself, instead of one that I assume is a self-signed fallback. It seems like Traefik isn't being configured correctly for these Base Domain resources. When I check the output of `http://pangolin:3001/api/v1/traefik-config` I see a `tls.domains.main` field equal to the wildcard rather than the actual base domain itself, which seems appropriate for a subdomain resource but not a Base Domain resource - could that be an issue here? ``` "4-router": { "entryPoints": [ "websecure" ], "middlewares": [ "badger" ], "service": "4-service", "rule": "Host(`example.com`)", "tls": { "certResolver": "letsencrypt", "domains": [ { "main": "*.example.com" } ] } }, ```
GiteaMirror added the reverse proxybug labels 2026-04-16 08:03:39 -05:00
GiteaMirror commented 2026-04-16 08:03:40 -05:00
Author
Owner
Copy Link

@miloschwartz commented on GitHub (Mar 19, 2025):

Hi, I think this is a bug after looking at the code. Prefer wild card will always tack on that * even if it's a base domain. You can get Traefik to generate the base cert by adding this to the dynamic config as seen in the docs here.

I will also work on fixing this bug in the next release.

    domains:
      - main: "example.com"
        sans:
          - "*.example.com"
<!-- gh-comment-id:2737193414 --> @miloschwartz commented on GitHub (Mar 19, 2025): Hi, I think this is a bug after looking at the code. Prefer wild card will always tack on that * even if it's a base domain. You can get Traefik to generate the base cert by adding this to the dynamic config as seen [in the docs here](https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs). I will also work on fixing this bug in the next release. ``` domains: - main: "example.com" sans: - "*.example.com" ```
GiteaMirror commented 2026-04-16 08:03:40 -05:00
Author
Owner
Copy Link

@whitestrake commented on GitHub (Mar 19, 2025):

No worries - right now I have a reverse proxy in front of it so I've got a workaround just by skipping TLS verification at the proxy layer, and still have valid HTTPS for end-users. Thanks for your work!

If it's not a bother, could I ask for a bit more clarification on your advice re: Traefik config? The linked doc describes using that structure for next-router inside dynamic-config.yml, but I already have my primary domain set up there already exactly like that (and my primary domain does serve the base cert and the wildcard cert just fine). It's the additional/secondary domains that have this issue. Where should I add that config for each of the secondary domains? Or should I try to merge them into the next-router config somehow? It's not a blocking issue for me at all with the reverse proxy in front right now, but getting proper HTTPS through the chain without skipping verification would be a nice-to-have. Much appreciated!

<!-- gh-comment-id:2738555824 --> @whitestrake commented on GitHub (Mar 19, 2025): No worries - right now I have a reverse proxy in front of it so I've got a workaround just by skipping TLS verification at the proxy layer, and still have valid HTTPS for end-users. Thanks for your work! If it's not a bother, could I ask for a bit more clarification on your advice re: Traefik config? The linked doc describes using that structure for `next-router` inside `dynamic-config.yml`, but I already have my primary domain set up there already exactly like that (and my primary domain does serve the base cert and the wildcard cert just fine). It's the additional/secondary domains that have this issue. Where should I add that config for each of the secondary domains? Or should I try to merge them into the `next-router` config somehow? It's not a blocking issue for me at all with the reverse proxy in front right now, but getting proper HTTPS through the chain without skipping verification would be a nice-to-have. Much appreciated!
GiteaMirror commented 2026-04-16 08:03:40 -05:00
Author
Owner
Copy Link

@miloschwartz commented on GitHub (Mar 20, 2025):

Ah, I didn't consider the extra domains when I wrote that message. I think you could force Traefik to generate one by adding it to the sans section and/or creating a dummy router with the domain. More info here: https://doc.traefik.io/traefik/https/acme/

<!-- gh-comment-id:2739020546 --> @miloschwartz commented on GitHub (Mar 20, 2025): Ah, I didn't consider the extra domains when I wrote that message. I think you could force Traefik to generate one by adding it to the sans section and/or creating a dummy router with the domain. More info here: https://doc.traefik.io/traefik/https/acme/
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label bug reverse proxy
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1411
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?