coolify icon indicating copy to clipboard operation
coolify copied to clipboard
verified publisher icon coollabsio

[Bug]: Can't use wildcard domain with multiple servers

Open vitusan opened this issue 8 months ago • 9 comments

Error Message and Logs

When adding a new server to the main coolify instance, if the main instance has a wildcard domain attached to it, then any service hosted in the secondary server, when using the same wildcard domain that main server uses, won't get the ssl certificate emitted, so no Https available for this service, only Http.

I don't know if this a natural limitation of the certificate or if it's a bug.

The workaround is to remove the wildcard domain from the main server and then https will work on the secondary server.

Steps to Reproduce

  1. Configure main Instance
  2. Add wildcard domain, confirmed working with services hosted on main instance
  3. Add second server
  4. Add service that uses the same wildcard domain that main server uses
  5. Configure DNS to point to second server on certain subdomain like "subdomain.main.com"
  6. Get Https certificate invalid error when accessing service in secondary server, but http works

Example Repository URL

No response

Coolify Version

v4.0.0-beta.399

Are you using Coolify Cloud?

No (self-hosted)

Operating System and Version (self-hosted)

No response

Additional Information

No response

vitusan avatar Mar 25 '25 18:03 vitusan

@vitusan if your sub domain dns is pointing direct to server 2, then your main server should have no effect on what happens in server 2.

the only issue, would be how you were generating certificates, i.e are you using a dns proxy? this would prevent server 2 from generating a certificate, if the new subdomain was also proxied.

so 2 questions, are you using dns proxy, if yes, how are you generating certificates (dns challenge or installing manually)

djsisson avatar Mar 25 '25 19:03 djsisson

Currently I facing similar issues.

Infrastructure:

  • 3 raspberry pi's ---- one master for coolify ---- two node servers

Setup:

  • On Master coolify instance is no wildcard url set
  • On Node-1 https://sv01.apps.domain.com
  • On Node-2 https://sv02.apps.domain.com

Case One:

  • Deployment of service to master node with https://case1.apps.domain.com Result: Works fine ✅

Case Two:

  • Deployment of service to node-01 with https://case2.sv01.apps.domain.com Result: No http no https ❌

Case Three:

  • Deployment of service to node-02 with https://case3.sv02.apps.domain.com Result: No http no https ❌

ChristophDietrich avatar Mar 25 '25 19:03 ChristophDietrich

@ChristophDietrich how are you routing to your nodes? direct or via your master?

djsisson avatar Mar 25 '25 19:03 djsisson

@ChristophDietrich how are you routing to your nodes? direct or via your master?

Incoming traffic is going directly to master node, it has a DNS wildcard with: *.apps.domain.com ---> pointing to master server

Than it should forward traffic to the nodes, depending on the urls.

ChristophDietrich avatar Mar 25 '25 19:03 ChristophDietrich

Who is your provider? Cf won't issue a proxy cert for 2nd level sub domains

You can test the master first by running curl -v -H "host: test.app.domain.com" localhost You can add -L to follow https redirect and I think -k to ignore cert issues This will test the proxy is working first

Also this depends on what you are forwarding to If its direct to a port in container it's fine if it's to port 80 it's fine, but if you are forwarding to 443 you wo need to use dns challenge or manually install certs on your nodes.

djsisson avatar Mar 25 '25 19:03 djsisson

@djsisson I'm not using a DNS proxy. I have an A record pointing to the subdomain with the secondary server's IP address, and a wildcard * and @ A record pointing to the main server's IP.

Image

But, i can't obtain an SSL certificate with lets encrypt, coolify's default method (no changes made), unless i remove the configuration of wildcard domain from main coolify instance (it's okay to keep the A records in the DNS provider).

I also found a similar issue, but way older that seems to be addressed...

https://github.com/coollabsio/coolify/issues/2650

vitusan avatar Mar 25 '25 19:03 vitusan

Coolify wildcard will only effect what domain is generated for new projects, not whether you can generate a cert or not.

So assuming wildcard domain is set to be main.com. then a new project would be xxxx.main.com

So assuming you rename a project to be chatwoot.main.com to match your dns

If you don't get a cert you would need to look at proxy logs to see why.

djsisson avatar Mar 25 '25 19:03 djsisson

Well, i did what this user mentioned and it worked.

For some reason the server must be added without the wildcard domain configuration. After i cleared the wildcard domain field and restarted the secondary server's proxy, the error went away and it worked. SSL back at the services hosted in secondary servers.

I even added the wildcard domain back to the main server config and created new services in the secondary server and it worked without issues.

vitusan avatar Mar 26 '25 01:03 vitusan

can you share you domains field in coolify? It maybe silly but I had a huge mess with logs when I forgot to add https:// in https://xxx.example.com i just added xxxx.example.com and didn't worked. I will open in fact an issue to add a validation, because everything looks good but is not. Try to put it with the schema.

titusfx avatar Mar 26 '25 10:03 titusfx