SSL not working anymore / invalid certificate #752

New Issue

Open

opened 2025-11-13 12:10:03 -06:00 by GiteaMirror · 6 comments

GiteaMirror commented 2025-11-13 12:10:03 -06:00

Owner

Copy Link

Originally created by @gilluc on GitHub (Nov 1, 2025).

Describe the Bug

since last week i guess, SSL on new containers give me an error in the browser.
Old containers work well.
attached 2 images

• old certificate for baikal : working
• new certificate for readeck : error

Environment

• OS Type & Version: (e.g., Ubuntu 22.04) Debian 12 ARM64 / Portainer 2.33.3 LTS
• Pangolin Version: 1.11.1
• Gerbil Version: 1.2.2
• Traefik Version: v3.6.0-rc1
• Newt Version: 1.1.3
• Olm Version: (if applicable) ?

To Reproduce

create a new stack on portainer, like readeck and deploy

version: "3.3"
services:
readeck:
container_name: readeck
image: codeberg.org/readeck/readeck:latest
ports:
- 8280:8000
volumes:
- readeck-data:/readeck
restart: always

volumes:
readeck-data:

then declare a ressource in pangolin, like readeck.mydomain.tld

connect to it with your browser...

Expected Behavior

expected to go to the readeck screen to create a new (first) user

browser says "invalid certificate" error

Originally created by @gilluc on GitHub (Nov 1, 2025). ### Describe the Bug since last week i guess, SSL on new containers give me an error in the browser. Old containers work well. attached 2 images - old certificate for baikal : working - new certificate for readeck : error - <img width="544" height="672" alt="Image" src="https://github.com/user-attachments/assets/a54d45c8-1037-45ea-9aa2-d5faccfb22c8" /> <img width="804" height="710" alt="Image" src="https://github.com/user-attachments/assets/8f6d286e-ec37-4c90-952e-d3ce77a2c09f" /> ### Environment - OS Type & Version: (e.g., Ubuntu 22.04) Debian 12 ARM64 / Portainer 2.33.3 LTS - Pangolin Version: 1.11.1 - Gerbil Version: 1.2.2 - Traefik Version: v3.6.0-rc1 - Newt Version: 1.1.3 - Olm Version: (if applicable) ? ### To Reproduce create a new stack on portainer, like readeck and deploy version: "3.3" services: readeck: container_name: readeck image: codeberg.org/readeck/readeck:latest ports: - 8280:8000 volumes: - readeck-data:/readeck restart: always volumes: readeck-data: then declare a ressource in pangolin, like readeck.mydomain.tld connect to it with your browser... ### Expected Behavior expected to go to the readeck screen to create a new (first) user browser says "invalid certificate" error

GiteaMirror commented 2025-11-13 12:10:04 -06:00

Author

Owner

Copy Link

@gilluc commented on GitHub (Nov 1, 2025):

is it possible that it has something to do with iptables rules i added in DOCKER-USER to prevent connections from "all the world" ??

@gilluc commented on GitHub (Nov 1, 2025): is it possible that it has something to do with iptables rules i added in DOCKER-USER to prevent connections from "all the world" ?? <img width="882" height="129" alt="Image" src="https://github.com/user-attachments/assets/d5a31505-211e-42f3-8904-d986db0717e4" />

GiteaMirror commented 2025-11-13 12:10:04 -06:00

Author

Owner

Copy Link

@hhftechnology commented on GitHub (Nov 1, 2025):

is it possible that it has something to do with iptables rules i added in DOCKER-USER to prevent connections from "all the world" ??

yes that the issue. revert is to root or the previous user

@hhftechnology commented on GitHub (Nov 1, 2025): > is it possible that it has something to do with iptables rules i added in DOCKER-USER to prevent connections from "all the world" ?? > > <img alt="Image" width="882" height="129" src="https://private-user-images.githubusercontent.com/45982037/508567343-d5a31505-211e-42f3-8904-d986db0717e4.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjIwMjcxOTksIm5iZiI6MTc2MjAyNjg5OSwicGF0aCI6Ii80NTk4MjAzNy81MDg1NjczNDMtZDVhMzE1MDUtMjExZS00MmYzLTg5MDQtZDk4NmRiMDcxN2U0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTExMDElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMTAxVDE5NTQ1OVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTNmNjNkZTJlMDMzODc3OGQ0ZmU4MDJmYmI5Y2M0ODllYWEzMzA5MzE2NWQxYTI1MjI1ZWNkZGU3YjQyMTlkZDEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.zf8POPeUd55M8RlYnRZaETr3GsHzMQTmn3YQkCLJPSw"> yes that the issue. revert is to root or the previous user

GiteaMirror commented 2025-11-13 12:10:04 -06:00

Author

Owner

Copy Link

@gilluc commented on GitHub (Nov 2, 2025):

is it possible that it has something to do with iptables rules i added in DOCKER-USER to prevent connections from "all the world" ??

yes that the issue. revert is to root or the previous user

I deleted the DROP line in iptables but still doesn't work.
how to force certificate renewal ?

@gilluc commented on GitHub (Nov 2, 2025): > > is it possible that it has something to do with iptables rules i added in DOCKER-USER to prevent connections from "all the world" ?? > > <img alt="Image" width="882" height="129" src="https://private-user-images.githubusercontent.com/45982037/508567343-d5a31505-211e-42f3-8904-d986db0717e4.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjIwMjcxOTksIm5iZiI6MTc2MjAyNjg5OSwicGF0aCI6Ii80NTk4MjAzNy81MDg1NjczNDMtZDVhMzE1MDUtMjExZS00MmYzLTg5MDQtZDk4NmRiMDcxN2U0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTExMDElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMTAxVDE5NTQ1OVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTNmNjNkZTJlMDMzODc3OGQ0ZmU4MDJmYmI5Y2M0ODllYWEzMzA5MzE2NWQxYTI1MjI1ZWNkZGU3YjQyMTlkZDEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.zf8POPeUd55M8RlYnRZaETr3GsHzMQTmn3YQkCLJPSw"> > > yes that the issue. revert is to root or the previous user I deleted the DROP line in iptables but still doesn't work. how to force certificate renewal ?

GiteaMirror commented 2025-11-13 12:10:05 -06:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (Nov 3, 2025):

It'll happen automatically.

@AstralDestiny commented on GitHub (Nov 3, 2025): It'll happen automatically.

GiteaMirror commented 2025-11-13 12:10:05 -06:00

Author

Owner

Copy Link

@gilluc commented on GitHub (Nov 3, 2025):

yes it works now BUT it does'nt fix the need of a DROP line in iptables.
has anyone any tip for that ?
which IP addresses should I accept or anything else to protect my homelab AND let certificates renewal ??

@gilluc commented on GitHub (Nov 3, 2025): yes it works now BUT it does'nt fix the need of a DROP line in iptables. has anyone any tip for that ? which IP addresses should I accept or anything else to protect my homelab AND let certificates renewal ??

GiteaMirror commented 2025-11-13 12:10:05 -06:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (Nov 4, 2025):

I'd always suggest dns validation as it doesn't require port 80 to be open. Or any ports for that matter just need to be able to make an api call out to LE and then your DNS provider.

https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs

https://go-acme.github.io/lego/dns/

Oop forgot to mention DNS validation grants you wildcards.. and it also is less information disclosure in the end. as https://crt.sh exists and no you can't opt out of having your certs being listed but you can limit how much is shown.

@AstralDestiny commented on GitHub (Nov 4, 2025): I'd always suggest dns validation as it doesn't require port 80 to be open. Or any ports for that matter just need to be able to make an api call out to LE and then your DNS provider. https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs https://go-acme.github.io/lego/dns/ Oop forgot to mention DNS validation grants you wildcards.. and it also is less information disclosure in the end. as https://crt.sh exists and no you can't opt out of having your certs being listed but you can limit how much is shown.

GiteaMirror referenced this issue 2026-04-16 08:18:52 -05:00

[GH-ISSUE #752] Security Key #1606

GiteaMirror referenced this issue 2026-04-20 07:32:47 -05:00

[GH-ISSUE #752] Security Key #3548

GiteaMirror referenced this issue 2026-04-25 15:16:38 -05:00

[GH-ISSUE #752] Security Key #6402

GiteaMirror referenced this issue 2026-04-30 04:03:23 -05:00

[GH-ISSUE #752] Security Key #8370

GiteaMirror referenced this issue 2026-05-06 13:36:56 -05:00

[GH-ISSUE #752] Security Key #10367

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/axios-1.15.2

s3

dependabot/npm_and_yarn/next-intl-4.9.2

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#752