Wildcard Certificates Not Being Generated Despite prefer_wildcard_cert: true #766

New Issue

Open

opened 2025-11-13 12:10:21 -06:00 by GiteaMirror · 3 comments

GiteaMirror commented 2025-11-13 12:10:21 -06:00

Owner

Copy Link

Originally created by @AndrewPaglusch on GitHub (Nov 8, 2025).

Originally assigned to: @oschwartz10612 on GitHub.

Describe the Bug

Possibly related to #1816

When prefer_wildcard_cert: true is set in config.yaml for domains, Traefik still generates individual certificates for each subdomain instead of requesting wildcard certificates.

 domains:
   domain1:
     base_domain: foobar1.com
     cert_resolver: letsencrypt
     prefer_wildcard_cert: true
   domain2:
     base_domain: foobar2.com
     cert_resolver: letsencrypt
     prefer_wildcard_cert: true

I believe this bug was introduced in commit d938345deb on Wed Oct 8, since there seems to be some changes being made around the preferWildcardCert setting there.

Environment

• OS Type & Version: AlmaLinux 9.6
• Pangolin Version: 1.12.1 (Community)
• Gerbil Version: 1.2.2
• Traefik Version: 3.4.0
• Newt Version: 1.6.0
• Olm Version: N/A

To Reproduce

1. Configure domains in config.yaml with prefer_wildcard_cert: true:

   domains:
     domain1:
       base_domain: foobar1.com
       cert_resolver: letsencrypt
       prefer_wildcard_cert: true
     domain2:
       base_domain: foobar2.com
       cert_resolver: letsencrypt
       prefer_wildcard_cert: true
   

2. Set global preference in config.yaml:

   traefik:
     cert_resolver: letsencrypt
     prefer_wildcard_cert: true
   

3. Clear the acme.json file to force certificate regeneration:

   rm /path/to/letsencrypt/acme.json
   

4. Restart Pangolin and observe the Traefik logs and/or look at certs generated.

Expected Behavior

The Traefik dynamic configuration should include wildcard domain specifications like:

{
  "tls": {
    "certResolver": "letsencrypt",
    "domains": [
      {
        "main": "*.foobar1.com"
      }
    ]
  }
}

This would cause Traefik to request a single wildcard certificate covering all subdomains.

The Traefik dynamic configuration generates individual domain entries instead:

$ curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries | .[0] | {router: .key, tls_domains: .value.tls.domains}'
{
  "router": "605-prefix-cloud-foobar1-com-router",
  "tls_domains": [
    {
      "main": "cloud.foobar1.com"
    }
  ]
}

Every subdomain gets its own specific certificate request instead of using wildcards.

Originally created by @AndrewPaglusch on GitHub (Nov 8, 2025). Originally assigned to: @oschwartz10612 on GitHub. ### Describe the Bug Possibly related to [#1816](https://github.com/fosrl/pangolin/issues/1816) When `prefer_wildcard_cert: true` is set in `config.yaml` for domains, Traefik still generates individual certificates for each subdomain instead of requesting wildcard certificates. ```yaml domains: domain1: base_domain: foobar1.com cert_resolver: letsencrypt prefer_wildcard_cert: true domain2: base_domain: foobar2.com cert_resolver: letsencrypt prefer_wildcard_cert: true ``` I believe this bug was introduced in commit https://github.com/fosrl/pangolin/commit/d938345debe8a515a8d251cdf4bd448e75ef811e on Wed Oct 8, since there seems to be some changes being made around the `preferWildcardCert` setting there. ### Environment - OS Type & Version: AlmaLinux 9.6 - Pangolin Version: 1.12.1 (Community) - Gerbil Version: 1.2.2 - Traefik Version: 3.4.0 - Newt Version: 1.6.0 - Olm Version: N/A ### To Reproduce 1. Configure domains in `config.yaml` with `prefer_wildcard_cert: true`: ```yaml domains: domain1: base_domain: foobar1.com cert_resolver: letsencrypt prefer_wildcard_cert: true domain2: base_domain: foobar2.com cert_resolver: letsencrypt prefer_wildcard_cert: true ``` 2. Set global preference in `config.yaml`: ```yaml traefik: cert_resolver: letsencrypt prefer_wildcard_cert: true ``` 3. Clear the `acme.json` file to force certificate regeneration: ```bash rm /path/to/letsencrypt/acme.json ``` 4. Restart Pangolin and observe the Traefik logs and/or look at certs generated. ### Expected Behavior The Traefik dynamic configuration should include wildcard domain specifications like: ```json { "tls": { "certResolver": "letsencrypt", "domains": [ { "main": "*.foobar1.com" } ] } } ``` This would cause Traefik to request a single wildcard certificate covering all subdomains. The Traefik dynamic configuration generates individual domain entries instead: ```bash $ curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries | .[0] | {router: .key, tls_domains: .value.tls.domains}' { "router": "605-prefix-cloud-foobar1-com-router", "tls_domains": [ { "main": "cloud.foobar1.com" } ] } ``` Every subdomain gets its own specific certificate request instead of using wildcards.

GiteaMirror added the bug label 2025-11-13 12:10:21 -06:00

GiteaMirror commented 2025-11-13 12:10:22 -06:00

Author

Owner

Copy Link

@AndrewPaglusch commented on GitHub (Nov 9, 2025):

This bug still appears to be present in the latest release 1.12.2.

[root@cloud-dmz:/opt/docker/pangolin]# docker exec -it pangolin curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries | .[0] | {router: .key, tls_domains: .value.tls.domains}'
{
  "router": "605-prefix-cloud-foobar1-com-router",
  "tls_domains": [
    {
      "main": "cloud.foobar1.com"
    }
  ]
}

I can see individual certs still being generated:

jq '.letsencrypt.Certificates[].domain' < /opt/docker/pangolin/config/letsencrypt/acme.json
{
  "main": "plex.foobar1.com"
}
{
  "main": "photos.foobar2.com"
}
{
  "main": "cloud.foobar3.net"
}
[...]

@oschwartz10612 Would you mind re-opening this issue if you can confirm it's still a problem?

@AndrewPaglusch commented on GitHub (Nov 9, 2025): This bug still appears to be present in the latest release 1.12.2. ``` [root@cloud-dmz:/opt/docker/pangolin]# docker exec -it pangolin curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries | .[0] | {router: .key, tls_domains: .value.tls.domains}' { "router": "605-prefix-cloud-foobar1-com-router", "tls_domains": [ { "main": "cloud.foobar1.com" } ] } ``` I can see individual certs still being generated: ``` jq '.letsencrypt.Certificates[].domain' < /opt/docker/pangolin/config/letsencrypt/acme.json { "main": "plex.foobar1.com" } { "main": "photos.foobar2.com" } { "main": "cloud.foobar3.net" } [...] ``` @oschwartz10612 Would you mind re-opening this issue if you can confirm it's still a problem?

GiteaMirror commented 2025-11-13 12:10:22 -06:00

Author

Owner

Copy Link

@Anmol202005 commented on GitHub (Nov 10, 2025):

@AndrewPaglusch tried reproducing works good :

~ ❯ curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries[] | select(.value.tls != null) | {router: .key, tls: .value.tls}'
{
  "router": "2-api-router",
  "tls": {
    "certResolver": "letsencrypt",
    "domains": [
      {
        "main": "*.foobar1.com"
      }
    ]
  }
}
{
  "router": "3-dashboard-router",
  "tls": {
    "certResolver": "letsencrypt",
    "domains": [
      {
        "main": "*.foobar1.com"
      }
    ]
  }
}

@Anmol202005 commented on GitHub (Nov 10, 2025): @AndrewPaglusch tried reproducing works good : ```bash ~ ❯ curl -s http://localhost:3001/api/v1/traefik-config | jq '.http.routers | to_entries[] | select(.value.tls != null) | {router: .key, tls: .value.tls}' { "router": "2-api-router", "tls": { "certResolver": "letsencrypt", "domains": [ { "main": "*.foobar1.com" } ] } } { "router": "3-dashboard-router", "tls": { "certResolver": "letsencrypt", "domains": [ { "main": "*.foobar1.com" } ] } } ```

GiteaMirror commented 2025-11-13 12:10:22 -06:00

Author

Owner

Copy Link

@AndrewPaglusch commented on GitHub (Nov 11, 2025):

@Anmol202005 Would you mind sharing your redacted config with me? I'd like to see if you're configuring wildcard domains differently than I am. Thanks!

In your redacted output above, I noticed you have two wildcard domains returned for the same (fake) domain. In your real output, are there two different wildcards being returned, each for different domains, or are they each for the same domain?

@AndrewPaglusch commented on GitHub (Nov 11, 2025): @Anmol202005 Would you mind sharing your redacted config with me? I'd like to see if you're configuring wildcard domains differently than I am. Thanks! In your redacted output above, I noticed you have two wildcard domains returned for the same (fake) domain. In your _real_ output, are there two different wildcards being returned, each for different domains, or are they each for the same domain?

GiteaMirror referenced this issue 2026-04-16 08:20:14 -05:00

[GH-ISSUE #766] cant connect newt site to pangolin #1617

GiteaMirror referenced this issue 2026-04-20 07:33:47 -05:00

[GH-ISSUE #766] cant connect newt site to pangolin #3559

GiteaMirror referenced this issue 2026-04-25 15:17:14 -05:00

[GH-ISSUE #766] cant connect newt site to pangolin #6413

GiteaMirror referenced this issue 2026-04-30 04:06:22 -05:00

[GH-ISSUE #766] cant connect newt site to pangolin #8381

GiteaMirror referenced this issue 2026-05-06 13:38:05 -05:00

[GH-ISSUE #766] cant connect newt site to pangolin #10378

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/axios-1.15.2

s3

dependabot/npm_and_yarn/next-intl-4.9.2

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#766