[PR #2523] [CLOSED] fix: clean up ACME certs when resources are deleted #3011

New Issue

Closed

opened 2026-04-16 09:44:35 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-16 09:44:35 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/2523
Author: @shreyaspapi
Created: 2/23/2026
Status: ❌ Closed

Base: main ← Head: fix/2382-cleanup-certs-on-resource-deletion

---

📝 Commits (2)

• a404b0d fix: clean up ACME certs when resources are deleted
• 9f31532 fix: extract pure acme logic into acmeData.ts so tests import real code

📊 Changes

5 files changed (+453 additions, -39 deletions)

View changed files

📝 server/lib/readConfigFile.ts (+4 -0)
➕ server/lib/traefik/acmeCleanup.test.ts (+323 -0)
➕ server/lib/traefik/acmeCleanup.ts (+52 -0)
➕ server/lib/traefik/acmeData.ts (+53 -0)
📝 server/routers/resource/deleteResource.ts (+21 -39)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Fixes #2382

What's wrong

When you delete a resource, Traefik keeps its certificate in acme.json and keeps renewing it forever. The deleteResource handler only removes the DB row — it never touches the ACME storage.

What this does

• After deleting a resource, checks if any other resource still uses the same domain
• If not, removes that domain's certificate from acme.json so Traefik stops renewing it
• Adds a configurable acme_json_path option (defaults to /app/config/letsencrypt/acme.json)
• The cleanup is best-effort — if it fails for any reason, the delete still succeeds

How to test?

1. Create a resource with a custom domain that gets a Let's Encrypt cert
2. Delete that resource
3. Verify the domain's cert is removed from acme.json
4. Verify that domains shared by other resources are NOT removed

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/2523 **Author:** [@shreyaspapi](https://github.com/shreyaspapi) **Created:** 2/23/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/2382-cleanup-certs-on-resource-deletion` --- ### 📝 Commits (2) - [`a404b0d`](https://github.com/fosrl/pangolin/commit/a404b0d0b044cc636e559795104df57ce07c0e8c) fix: clean up ACME certs when resources are deleted - [`9f31532`](https://github.com/fosrl/pangolin/commit/9f315328c402d48a54098b344e42eb94989acaa5) fix: extract pure acme logic into acmeData.ts so tests import real code ### 📊 Changes **5 files changed** (+453 additions, -39 deletions) <details> <summary>View changed files</summary> 📝 `server/lib/readConfigFile.ts` (+4 -0) ➕ `server/lib/traefik/acmeCleanup.test.ts` (+323 -0) ➕ `server/lib/traefik/acmeCleanup.ts` (+52 -0) ➕ `server/lib/traefik/acmeData.ts` (+53 -0) 📝 `server/routers/resource/deleteResource.ts` (+21 -39) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description Fixes #2382 ## What's wrong When you delete a resource, Traefik keeps its certificate in `acme.json` and keeps renewing it forever. The `deleteResource` handler only removes the DB row — it never touches the ACME storage. ## What this does - After deleting a resource, checks if any other resource still uses the same domain - If not, removes that domain's certificate from `acme.json` so Traefik stops renewing it - Adds a configurable `acme_json_path` option (defaults to `/app/config/letsencrypt/acme.json`) - The cleanup is best-effort — if it fails for any reason, the delete still succeeds ## How to test? 1. Create a resource with a custom domain that gets a Let's Encrypt cert 2. Delete that resource 3. Verify the domain's cert is removed from `acme.json` 4. Verify that domains shared by other resources are NOT removed --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-16 09:44:35 -05:00

GiteaMirror closed this issue 2026-04-16 09:44:35 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#3011