Skip to content

Fix dns manual ssl wildcard #11642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zhengkunwang223 merged 1 commit into from
Jan 15, 2026
Merged

Fix dns manual ssl wildcard #11642

zhengkunwang223 merged 1 commit into from
Jan 15, 2026

Conversation

@DeployThemAll
Copy link
Contributor

@DeployThemAll DeployThemAll commented Jan 15, 2026

Summary

This PR fixes three bugs in the DNS Manual SSL certificate flow:

Bug 1: Order caching fails when Expires is zero

ACME orders often have zero Expires initially. The condition !Expires.IsZero() caused valid cached
orders to be deleted and recreated with different TXT values, making verification fail.

Fix: Check Expires.IsZero() || Expires.After(now)

Bug 2: Wildcard and base domain TXT records overwrite each other

When requesting SSL for both example.com and *.example.com, both authorizations have identifier
example.com, causing one TXT value to overwrite the other in the map. Users only saw 1 TXT record
instead of 2.

Fix: Use *.domain as the map key for wildcard authorizations

Bug 3: Only first TXT record checked

When multiple TXT records exist (required for domain + wildcard), only the first DNS result was
checked. If the order of DNS responses varied, verification failed.

Fix: Return all TXT values and check if expected value exists in any of them

Test Plan

  • Create SSL certificate with DNS Manual for single domain
  • Create SSL certificate with DNS Manual for domain + wildcard
  • Verify both TXT records are displayed
  • Verify certificate is issued successfully after adding both TXT records

@f2c-ci-robot
Copy link

f2c-ci-robot bot commented Jan 15, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@f2c-ci-robot
Copy link

f2c-ci-robot bot commented Jan 15, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wanghe-fit2cloud for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@zhengkunwang223
Copy link
Member

zhengkunwang223 commented Jan 15, 2026

Thanks for the PR! There are some merge conflicts at the moment. Could you please resolve them and update the PR?

@DeployThemAll @claude
fix: DNS Manual SSL certificate issues for wildcard domains
bccfa53 
This fix addresses three bugs in the DNS Manual SSL certificate flow:

1. **Order caching fails when Expires is zero**: ACME orders often have
   zero Expires initially. The condition `!Expires.IsZero()` caused valid
   cached orders to be deleted and recreated with different TXT values.
   Fixed by checking `Expires.IsZero() || Expires.After(now)`.

2. **Wildcard and base domain TXT records overwrite each other**: When
   requesting SSL for both `example.com` and `*.example.com`, both
   authorizations have identifier `example.com`, causing one TXT value
   to overwrite the other. Fixed by using `*.domain` as the map key.

3. **Only first TXT record checked**: When multiple TXT records exist,
   only the first was checked. Fixed by returning all TXT values and
   checking if expected value exists in any of them.

```release-note
Fix DNS Manual SSL certificate issues for wildcard domains
```

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@DeployThemAll DeployThemAll force-pushed the fix-dns-manual-ssl-wildcard branch from c02816c to bccfa53 Compare January 15, 2026 02:17
@DeployThemAll DeployThemAll changed the base branch from dev to dev-v2 January 15, 2026 02:17
@zhengkunwang223 zhengkunwang223 merged commit 55ccb9f into 1Panel-dev:dev-v2 Jan 15, 2026
1 check was pending
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wanghe-fit2cloud wanghe-fit2cloud Awaiting requested review from wanghe-fit2cloud

@zhengkunwang223 zhengkunwang223 Awaiting requested review from zhengkunwang223

Assignees

No one assigned

Labels

do-not-merge/release-note-label-needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DeployThemAll @zhengkunwang223