[GH-ISSUE #2382] Pangolin requests certificates for domains of deleted resources #6957

New Issue

Closed

opened 2026-04-25 15:56:55 -05:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-04-25 15:56:55 -05:00

Owner

Copy Link

Originally created by @eldridgea on GitHub (Jan 30, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2382

Describe the Bug

When I delete a public resource from Pangolin, Pangolin still requests certificates for that subdomain. I regularly get certificate transparency reports for certificates issued from Lets Encrypt to subdomains that I used to have as a resource in pangolin and have since been deleted.

Environment

• OS Type & Version: Ubuntu 24.04
• Pangolin Version: 1.15.1
• Gerbil Version: 1.3.0
• Traefik Version: 3.6.7
• Newt Version: 1.9.0
• Olm Version: (if applicable)

To Reproduce

1. Create a public resource in Pangolin
2. After a certificate has been issued for the resource's subdomain and is available in Pangolin, delete the resource
3. When certificate renewal comes around, Pangolin will renew the certificate of the deleted resource's subdomain

Expected Behavior

Certificate issuance and renewals are only requested for subdomains connected to existing resources.

Originally created by @eldridgea on GitHub (Jan 30, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2382 ### Describe the Bug When I delete a public resource from Pangolin, Pangolin still requests certificates for that subdomain. I regularly get certificate transparency reports for certificates issued from Lets Encrypt to subdomains that I used to have as a resource in pangolin and have since been deleted. ### Environment - OS Type & Version: Ubuntu 24.04 - Pangolin Version: 1.15.1 - Gerbil Version: 1.3.0 - Traefik Version: 3.6.7 - Newt Version: 1.9.0 - Olm Version: (if applicable) ### To Reproduce 1. Create a public resource in Pangolin 2. After a certificate has been issued for the resource's subdomain and is available in Pangolin, delete the resource 3. When certificate renewal comes around, Pangolin will renew the certificate of the deleted resource's subdomain ### Expected Behavior Certificate issuance and renewals are only requested for subdomains connected to existing resources.

GiteaMirror closed this issue 2026-04-25 15:56:55 -05:00

GiteaMirror commented 2026-04-25 15:56:56 -05:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (Feb 2, 2026):

Using http validation method I assume? If so that's intended traefik stuff.. Check your acme.json file

<!-- gh-comment-id:3837731150 --> @AstralDestiny commented on GitHub (Feb 2, 2026): Using http validation method I assume? If so that's intended traefik stuff.. Check your acme.json file

GiteaMirror commented 2026-04-25 15:56:57 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Feb 17, 2026):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3911192631 --> @github-actions[bot] commented on GitHub (Feb 17, 2026): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented 2026-04-25 15:56:57 -05:00

Author

Owner

Copy Link

@LaurenceJJones commented on GitHub (Feb 19, 2026):

Not a bug in pangolin per say, simply this is how traefik the underlying webserver for pangolin currently handles this for http challenges. The workaround as by traefik standards is to manually prune your acme.json or there are some tools on github that the community have made but use at own risk.

<!-- gh-comment-id:3925263381 --> @LaurenceJJones commented on GitHub (Feb 19, 2026): Not a bug in pangolin per say, simply this is how traefik the underlying webserver for pangolin currently handles this for http challenges. The workaround as by traefik standards is to manually prune your acme.json or there are some tools on github that the community have made but use at own risk.

GiteaMirror commented 2026-04-25 15:56:58 -05:00

Author

Owner

Copy Link

@DannyBoyKN commented on GitHub (Feb 21, 2026):

I switched to DNS Challenge recently and purged my acme.json. Only pangolin.exmaple.com and wildcard *.example.com now exist. But searching the web (specific sub.domain finder) all my previous, also long.time ago removed subdomains, are still found.
Is there anything else to be purged, reset or deleted ?

<!-- gh-comment-id:3938776062 --> @DannyBoyKN commented on GitHub (Feb 21, 2026): I switched to DNS Challenge recently and purged my acme.json. Only pangolin.exmaple.com and wildcard *.example.com now exist. But searching the web (specific sub.domain finder) all my previous, also long.time ago removed subdomains, are still found. Is there anything else to be purged, reset or deleted ?

GiteaMirror commented 2026-04-25 15:56:59 -05:00

Author

Owner

Copy Link

@LaurenceJJones commented on GitHub (Feb 22, 2026):

Nope, deleting that is all you can do. The reason sites like https://crt.sh still have the information is due to certificate transparency standards which is a interesting read on why its a good thing to have when we didnt have such standards.

<!-- gh-comment-id:3940299793 --> @LaurenceJJones commented on GitHub (Feb 22, 2026): Nope, deleting that is all you can do. The reason sites like https://crt.sh still have the information is due to certificate transparency standards which is a interesting read on why its a good thing to have when we didnt have such standards.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

copilot/fix-create-alert-visibility

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#6957