[BUG] Error while enabling wildcard certificate with subdomain wildcard

[Arakmar]

What happened?

We currently have services using two kind of domain names (internal or external tool) :

• *.<domain.tld>
• *.int.<domain.tld>

After enabling wildcard certificate option, it fails because it tries to create a single wildcard cert with the following domain name :

• *.domain.tld
• *.int.domain.tld
• domain..tld
• int.domain.tld

It fails because of int.domain.tld which is already part of *.domain.tld.

How to reproduce?

Creating services with a subdomain and services with a sub-subdomain

Configuration file(s) (yaml or .env)

Relevant log output

[LETS-ENCRYPT.NEW] [31] [ℹ ] - Asking wildcard certificates for domain(s) : *.int.<domain.tld>,*.<domain.tld>,int.<domain.tld>,<domain.tld> (email = contact@blog.<domain.tld>) with dns challenge...
[LETS-ENCRYPT.NEW.CERTBOT] [31] [ℹ ] - Saving debug log to /var/log/bunkerweb/letsencrypt/letsencrypt.log
Requesting a certificate for *.int.<domain.tld> and 3 more domains
[LETS-ENCRYPT.NEW.CERTBOT] [31] [ℹ ] - An unexpected error occurred:
[LETS-ENCRYPT.NEW.CERTBOT] [31] [ℹ ] - Error creating new order :: Domain name "int.<domain.tld>" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
[LETS-ENCRYPT.NEW.CERTBOT] [31] [ℹ ] - Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/bunkerweb/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[LETS-ENCRYPT.NEW] [31] [❌] - Certificate generation failed for domain(s) *.int.<domain.tld>,*.<domain.tld>,int.<domain.tld>,<domain.tld> ...
[LETS-ENCRYPT.NEW] [31] [ℹ ] - Clear old certificates is activated, removing old / no longer used certificates...
[LETS-ENCRYPT.NEW] [31] [ℹ ] - Successfully saved data to db cache
[SCHEDULER] [31] [❌] - Error while executing job 'certbot-new' from plugin 'letsencrypt'

BunkerWeb version

1.6.1

What integration are you using?

Docker

Linux distribution (if applicable)

No response

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi @Arakmar,

We currently do not support wildcards in the SERVER_NAME setting. Instead, the wildcard is automatically generated based on similar services that share the same suffix. This means you don’t need to manually define it—our system takes care of that for you.

If you’re encountering any issues or have a specific use case that requires wildcard support, feel free to share more details, and we’d be happy to explore potential solutions!

[fl0ppy-d1sk]

I'm pretty sure that the important part here is Error creating new order :: Domain name "int.<domain.tld>" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.

Looks like it's an edge case we weren't aware of @Arakmar, thank you for reporting it.

[Arakmar]

Hi,

Sorry I didn't explain very well the context, let's say I have theses services :

• a.example.com
• b.int.example.com

Then I enable wildcard on global config with USE_LETS_ENCRYPT_WILDCARD.
I got this error probably because for each different domain, it tries to add in the certificate the wildcard variant and the plain variant without checking if there is a conflict between each domains.

@fl0ppy-d1sk Yes it's this line

[TheophileDiot]

Alright, I see. My bad on this! I'll review the issue and see what we can do to address it.

[TheophileDiot]

Hi @Arakmar, this should be fixed in the next minor release.