github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-08 05:39:49 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #808] SSL Certificates are renewed for deleted resources #6441

New Issue
Closed
opened 2026-04-25 15:19:07 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-25 15:19:07 -05:00
Owner
Copy Link

Originally created by @AleksCee on GitHub (May 30, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/808

Hi,

at the beginning (after an fresh installation) I have create a subdomain "test". After some tests I have deleted this resource and create some real use subdomains. Today I get a email from sslmate.com (I use this service for monitoring my ssl-certificates) because of a renew information of the deleted test-subdomain. The resource is deleted and the newt tunnel is not forwarded anymore but the ssl certificate seams to be still in the config and is renewed.

Can you take a look at this behavior, thanks Alex.

Originally created by @AleksCee on GitHub (May 30, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/808 Hi, at the beginning (after an fresh installation) I have create a subdomain "test". After some tests I have deleted this resource and create some real use subdomains. Today I get a email from sslmate.com (I use this service for monitoring my ssl-certificates) because of a renew information of the deleted test-subdomain. The resource is deleted and the newt tunnel is not forwarded anymore but the ssl certificate seams to be still in the config and is renewed. Can you take a look at this behavior, thanks Alex.
GiteaMirror commented 2026-04-25 15:19:09 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (May 31, 2025):

Hi Alex,

When a Traefik router is deleted, Traefik will still attempt to renew certificates for the domains associated with that router, even if the router no longer exists. This is because Traefik doesn't inherently check if a certificate is actively being used before renewing it. To prevent unnecessary renewals you can try purging the acme.json file.

  1. Stop Traefik:

    Temporarily stop the Traefik instance to prevent conflicts while modifying the acme.json file.

  2. Edit acme.json:

    Identify Unused Certificates:
    Determine which certificates are no longer associated with any active routers.
    Modify acme.json:
    Manually: Open acme.json and delete the entries corresponding to the unused certificates.
    With traefik-certs-cleaner: Use the tool to clean the acme.json file, removing the desired certificates. This tool can be found on GitHub.
    Example: If you have a certificate for example.com that's no longer used, find the corresponding entry in acme.json and remove it.

  3. Restart Traefik:

    Restart Traefik after making the changes to acme.json.

<!-- gh-comment-id:2925274862 --> @oschwartz10612 commented on GitHub (May 31, 2025): Hi Alex, When a Traefik router is deleted, Traefik will still attempt to renew certificates for the domains associated with that router, even if the router no longer exists. This is because Traefik doesn't inherently check if a certificate is actively being used before renewing it. To prevent unnecessary renewals you can try purging the acme.json file. 1. Stop Traefik: Temporarily stop the Traefik instance to prevent conflicts while modifying the acme.json file. 2. Edit acme.json: Identify Unused Certificates: Determine which certificates are no longer associated with any active routers. Modify acme.json: Manually: Open acme.json and delete the entries corresponding to the unused certificates. With traefik-certs-cleaner: Use the tool to clean the acme.json file, removing the desired certificates. This tool can be found on [GitHub](https://github.com/ldez/traefik-certs-cleaner). Example: If you have a certificate for example.com that's no longer used, find the corresponding entry in acme.json and remove it. 3. Restart Traefik: Restart Traefik after making the changes to acme.json.
GiteaMirror commented 2026-04-25 15:19:09 -05:00
Author
Owner
Copy Link

@AleksCee commented on GitHub (May 31, 2025):

Hi @oschwartz10612 , thanks! That’s works fine. Is there a way to do this automatically when deleting a domain from the pangolin-service?

Alex

<!-- gh-comment-id:2925522495 --> @AleksCee commented on GitHub (May 31, 2025): Hi @oschwartz10612 , thanks! That’s works fine. Is there a way to do this automatically when deleting a domain from the pangolin-service? Alex
GiteaMirror commented 2026-04-25 15:19:10 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Jun 2, 2025):

Yeah this is a good point. I am going to close this issue but could you open a discussion feature request proposing a way to automatically clean up certs?

<!-- gh-comment-id:2928464054 --> @oschwartz10612 commented on GitHub (Jun 2, 2025): Yeah this is a good point. I am going to close this issue but could you open a discussion feature request proposing a way to automatically clean up certs?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#6441
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?