mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-17 07:04:36 -05:00
[GH-ISSUE #2978] Certificate: Failed (1.18.2) #19375
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @LaserPew on GitHub (May 3, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2978
Describe the Bug
Hi,
I currently have 2 public resources (in 2 different orgs) that show their domain status as failed even tough the certificates are working completely fine:

These are the domain configs:


Both certificates are pulled by Traefik via HTTP-01. I have other domains using DNS-01 so this is what my
config/traefik/traefik_config.ymllooks like:As I have configured two different acme storages I set the following config in
config/privateConfig.yml:In Pangolins logs I see this error repeatedly when visiting the respective Public Ressource Pages in the Dashboard:
Debugging this with sqlite, I see the certs (only those with HTTP-01) missing in the certificates table:
Having a look at
config/letsencrypt/acme-http.json, they look correct:Already tried this "fix": https://github.com/fosrl/pangolin/issues/2935#issuecomment-4348272408
But certificates don't show up in the certificates table.
No other certSync errors in the logs.
Environment
To Reproduce
Expected Behavior
All certificates shown as valid.
@AstralDestiny commented on GitHub (May 3, 2026):
Bleh sorry initial page broke on me a bit,
So EE, and the domain is a nested subdomain or one?
@LaserPew commented on GitHub (May 3, 2026):
Yes, I'm on EE. Regarding the domains, I have two (see screenshots of domain config from original post):
domain2.com(just the base domain is configured in Pangolin and my public resources are all subdomains of it)subdomain.domain1.com(I just have access to a specific subdomain ofdomain1.com, so I have configuredsubdomain.domain1.comin Pangolin and my resources are undermy-example-resource.subdomain.domain1.com)(Domains are of course redacted for privacy reasons)
This is my (redacted) resource on the nested domain:

@AstralDestiny commented on GitHub (May 3, 2026):
Curious on the askinf ro the t2 and 87 domains then?
@LaserPew commented on GitHub (May 3, 2026):
Sorry, don't quite get the question. Can you maybe elaborate?
@AstralDestiny commented on GitHub (May 3, 2026):
This part.
@LaserPew commented on GitHub (May 3, 2026):
I see this message in the Pangolin logs whenever I open the Public Resources page on the Dashboard.
When inspecting the network tab, I can see the following request with Status 404:
GET
https://pangolin.example.com/api/v1/org/myorg/certificate/t2e83di3n8ajdu5/subdomain.domain2.comThis seems to be in line with the certificates missing from the
certificatestable in sqlite. But they are in fact not missing, they are available in theacme-http.jsonfile and the resources are also served correctly, only Pangolin seems to have a problem with them.Im kinda stuck and don't know how to debug this further.
@LaurenceJJones commented on GitHub (May 3, 2026):
Pangolin looks for the default
acme.jsonif you have modified the path to go toacme-http.jsonyou must inform pangolin to look for this file.ref: https://docs.pangolin.net/self-host/advanced/private-config-file#acme-configuration
@AstralDestiny commented on GitHub (May 3, 2026):
They did in the above to point to a folder.
Though looking that should likely point to an absolute path and not a relative path..
@LaurenceJJones commented on GitHub (May 3, 2026):
Yes but the folder option simply is looking for files named "acme.json"
cf596d980f/server/private/lib/acmeCertSync.ts (L501-L505)so to the OP are you splitting the json files?
@AstralDestiny commented on GitHub (May 3, 2026):
Docs should be updated then.. docs say,
Path to the acme.json file or a directory containing more than one acme json file produced by Traefik (or another ACME client). Pangolin reads this file to extract certificates for synchronization and will look for all files in the specified directory if a directory is provided. The file must be in the format produced by Traefik’s ACME integration. This file is typically mounted as a volume from your ACME client container.
They have a acme-http.json and a acme.json
@LaserPew commented on GitHub (May 3, 2026):
Ah yes, that of course might be the problem.
I'm splitting the acme.json file because I have two different certResolvers in Traefik and was worried that pointing both of them at
acme.jsonmight cause problems.@LaurenceJJones commented on GitHub (May 3, 2026):
So to the op you can do this
the end file has to be named
acme.jsonbut the folders can be nested. As the function searches all folders till it findsacme.json's@AstralDestiny commented on GitHub (May 3, 2026):
You could have multiple providers all using the same acme.json, Traefik will properly handle that.
@LaserPew commented on GitHub (May 3, 2026):
Ah okay, Traefik docs weren't really helpful here. Will try that, should make the setup much more simple.
@LaserPew commented on GitHub (May 3, 2026):
Okay get it now. I think that this should be reflected in the docs. Or maybe the implementation can be updated to allow files that are not named exactly
acme.json?@LaurenceJJones commented on GitHub (May 3, 2026):
I agree it should say "Directory containing one or more acme.json files nested within folders" and probably a warning to say "end file must be named acme.json" 😆 then an example like I shown above.
@AstralDestiny commented on GitHub (May 3, 2026):
I assumed it just looked at anything called in there that was a .json and matches how the acme.json should look like honestly.
@LaserPew commented on GitHub (May 3, 2026):
I have reconfigured the certResolvers in Traefik to both point to acme.json now, removed the privateConfig.yml, cleared the existing acme*.json files and restarted pangolin: everything works as expected now. 💯
Thank you so much for the help!
@AstralDestiny commented on GitHub (May 3, 2026):
Cheers.