[GH-ISSUE #1360] Inconsistent Subdomain Validation: Some Domains Accept Hyphens, Others Reject Them #8638

New Issue

Closed

opened 2026-04-30 04:38:00 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-30 04:38:00 -05:00

Owner

Copy Link

Originally created by @diazhernawan on GitHub (Aug 27, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1360

I run into some inconsistent Subdomain Validation: Some Domains Accept Hyphens, Others Reject Them

• Pangolin Version: 1.9.0
• Gerbil Version: 1.2.0
• Traefik Version: 3.5
• Deployment: Self-hosted with Docker Compose

Problem Description

Pangolin's subdomain validation behaves inconsistently across different configured domains. Some domains accept hyphenated subdomains while others reject them, despite identical configuration.

Expected Behavior

All domains configured with identical settings should have consistent subdomain validation rules.

Actual Behavior

• Domains that accept hyphens: katawarna.org, daging.co.id
• Domains that reject hyphens: arkterra.id, bbfmeatshop.co.id, politekniktempo.com

Steps to Reproduce

1. Configure multiple domains in Pangolin config with identical settings
2. Attempt to create hyphenated subdomains (e.g., test-new-hyphen) for each domain
3. Observe inconsistent validation behavior

Test Results

Working Examples (Accepted)

• nextcloud.katawarna.org ✓
• onlyoffice.katawarna.org ✓
• test-new-tes-ts-test-tes-test.katawarna.org ✓
• test-new-tes-ts-test-tes-test.daging.co.id ✓

Failing Examples (Rejected)

• dev01-web-bbf.arkterra.id ✗ (reverts to base domain)
• dev02-web.arkterra.id ✗ (reverts to base domain)
• test-hyphen.bbfmeatshop.co.id ✗ (reverts to base domain)

Validation Inconsistency

Previously working subdomain dev01-web-bbf.arkterra.id was accepted, then later rejected when attempting to recreate it, suggesting validation rules changed during runtime.

Configuration

domains:
    domain1:
        base_domain: "katawarna.org"
        cert_resolver: "letsencrypt"
        prefer_wildcard_cert: true
    domain2:
        base_domain: "arkterra.id"  
        cert_resolver: "letsencrypt"
        prefer_wildcard_cert: true
    domain3:
        base_domain: "bbfmeatshop.co.id"
        cert_resolver: "letsencrypt"
    domain4:
        base_domain: "politekniktempo.com"
        cert_resolver: "letsencrypt"
    domain5:
        base_domain: "daging.co.id"
        cert_resolver: "letsencrypt"

All domains use identical DNS configuration (Cloudflare DNS-only mode, wildcard A records) and identical SSL settings.

Impact

• Inconsistent user experience across domains
• Some domains unusable for complex subdomain naming schemes
• No clear documentation explaining different validation rules per domain

Additional Notes

• Non-hyphenated subdomains work consistently across all domains
• The validation appears domain-specific rather than organization-specific
• No error messages or logs indicate why certain domain/subdomain combinations are rejected

Originally created by @diazhernawan on GitHub (Aug 27, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1360 I run into some inconsistent Subdomain Validation: Some Domains Accept Hyphens, Others Reject Them - **Pangolin Version**: 1.9.0 - **Gerbil Version**: 1.2.0 - **Traefik Version**: 3.5 - **Deployment**: Self-hosted with Docker Compose ## Problem Description Pangolin's subdomain validation behaves inconsistently across different configured domains. Some domains accept hyphenated subdomains while others reject them, despite identical configuration. ## Expected Behavior All domains configured with identical settings should have consistent subdomain validation rules. ## Actual Behavior - **Domains that accept hyphens**: `katawarna.org`, `daging.co.id` - **Domains that reject hyphens**: `arkterra.id`, `bbfmeatshop.co.id`, `politekniktempo.com` ## Steps to Reproduce 1. Configure multiple domains in Pangolin config with identical settings 2. Attempt to create hyphenated subdomains (e.g., `test-new-hyphen`) for each domain 3. Observe inconsistent validation behavior ## Test Results ### Working Examples (Accepted) - `nextcloud.katawarna.org` ✓ - `onlyoffice.katawarna.org` ✓ - `test-new-tes-ts-test-tes-test.katawarna.org` ✓ - `test-new-tes-ts-test-tes-test.daging.co.id` ✓ ### Failing Examples (Rejected) - `dev01-web-bbf.arkterra.id` ✗ (reverts to base domain) - `dev02-web.arkterra.id` ✗ (reverts to base domain) - `test-hyphen.bbfmeatshop.co.id` ✗ (reverts to base domain) ### Validation Inconsistency Previously working subdomain `dev01-web-bbf.arkterra.id` was accepted, then later rejected when attempting to recreate it, suggesting validation rules changed during runtime. ## Configuration ```yaml domains: domain1: base_domain: "katawarna.org" cert_resolver: "letsencrypt" prefer_wildcard_cert: true domain2: base_domain: "arkterra.id" cert_resolver: "letsencrypt" prefer_wildcard_cert: true domain3: base_domain: "bbfmeatshop.co.id" cert_resolver: "letsencrypt" domain4: base_domain: "politekniktempo.com" cert_resolver: "letsencrypt" domain5: base_domain: "daging.co.id" cert_resolver: "letsencrypt" ``` All domains use identical DNS configuration (Cloudflare DNS-only mode, wildcard A records) and identical SSL settings. ## Impact - Inconsistent user experience across domains - Some domains unusable for complex subdomain naming schemes - No clear documentation explaining different validation rules per domain ## Additional Notes - Non-hyphenated subdomains work consistently across all domains - The validation appears domain-specific rather than organization-specific - No error messages or logs indicate why certain domain/subdomain combinations are rejected

GiteaMirror added the stale label 2026-04-30 04:38:00 -05:00

GiteaMirror closed this issue 2026-04-30 04:38:01 -05:00

GiteaMirror commented 2026-04-30 04:38:02 -05:00

Author

Owner

Copy Link

@Pallavikumarimdb commented on GitHub (Aug 29, 2025):

Hi @diazhernawan , I tested this scenario with only a wildcard domain using the patch from #1375 and was able to save all of the following without issues using dashboard:

• nextcloud.katawarna.org
• onlyoffice.katawarna.org
• test-new-tes-ts-test-tes-test.katawarna.org
• test-new-tes-ts-test-tes-test.daging.co.id
• dev01-web-bbf.arkterra.id
• dev02-web.arkterra.id
• test-hyphen.bbfmeatshop.co.id

Could you please try this patch on your setup and let me know if it resolves the issue? Also, just to clarify, are you using only wildcard A records for your DNS setup, or do you also have NS/CNAME records in place? This detail would make debugging much clearer, as I can see different domain types (ns, wildcard, cname) have slightly different validation logic in the codebase. Wildcard domains have an extra validation step that NS domains don't have.

<!-- gh-comment-id:3238349189 --> @Pallavikumarimdb commented on GitHub (Aug 29, 2025): Hi @diazhernawan , I tested this scenario with only a wildcard domain using the patch from #1375 and was able to save all of the following without issues using dashboard: * `nextcloud.katawarna.org` * `onlyoffice.katawarna.org` * `test-new-tes-ts-test-tes-test.katawarna.org` * `test-new-tes-ts-test-tes-test.daging.co.id` * `dev01-web-bbf.arkterra.id` * `dev02-web.arkterra.id` * `test-hyphen.bbfmeatshop.co.id` Could you please try this patch on your setup and let me know if it resolves the issue? Also, just to clarify, are you using only wildcard A records for your DNS setup, or do you also have NS/CNAME records in place? This detail would make debugging much clearer, as I can see different domain types (ns, wildcard, cname) have slightly different validation logic in the codebase. Wildcard domains have an extra validation step that NS domains don't have.

GiteaMirror commented 2026-04-30 04:38:03 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Sep 13, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3287234958 --> @github-actions[bot] commented on GitHub (Sep 13, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

s3

dependabot/npm_and_yarn/next-intl-4.9.2

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label stale

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#8638