Routing to wildcard subdomains not working

[naveencom]

My kamal config:

proxy:
  ssl: true
  host: example.com
  app_port: 8000
  healthcheck:
    interval: 10
    path: /up
    timeout: 5

Cloudflare encryption mode: Full (strict)

Then I obtained and deployed an Origin CA certificates from Cloudflare.

docker exec kamal-proxy kamal-proxy deploy service-web --target="*.example.com" --host="example.com" --tls --tls-certificate-path /etc/ssl/certs/example.com.pem --tls-private-key-path /etc/ssl/certs/example.com.key

When I run the above command, I'm getting the following error.
Error: *.example.com :invalid host pattern

example.com is accessible, but not subdomain.example.com

I've gone through these discussions #30 & #45

I'm a newbie so I don't know if I've made any mistakes.

Please help me.

[naveencom]

@simonhutchings @dhh @anthonynsimon @aarroisi @kevinmcconnell Can you please help?

[kevinmcconnell]

Hi @naveencom,

I think your target and host flags are slightly wrong here. --target should be the host that you want the proxy to route to. This is usually the same as the name of the Docker container that the app is running in (assuming you have a typical Kamal-style setup). So for example, if your app is reachable internally as web-01, you'd have --target=web-01.

The --host flag specifies the hostnames that you're receiving traffic for, and which match the certificate you're using. You can specify multiple --host flags (or use comma-separate lists), and you can use wildcard subdomains if they're allowed by your certificate. So --host="*.example.com" --host="example.com" is fine.

Let me know if that solves your problem!

[naveencom]

@kevinmcconnell Thanks for the response.

• Yes, I've typical Kamal style setup.
• Yes, wildcard subdomains is allowed in my Cloudflare Origin CA certificates, but I don't know if that's what you mean by tls certificate.
• When I run the command: docker exec kamal-proxy kamal-proxy list, I get the following info:

Service -> app-web
Host -> example.com
Target -> 492c19bf01c7:8000
State -> running
TLS -> yes

My target look like that and it's keep changing after each redeployment.

docker exec kamal-proxy kamal-proxy deploy app-web --target="492c19bf01c7:8000" --host="*.example.com" --tls --tls-certificate-path /etc/ssl/certs/example.com.pem --tls-private-key-path /etc/ssl/certs/example.com.key

When I run this, I'm getting Error: unable to load certificate error.

1. Why did you mention in discussion Allow routing to wildcard subdomains #45 --target=*.example.com ?
2. Is my Kamal proxy config correct for the context?
3. Is my TLS certificate correct ?
4. Any way to keep a static name for target ?

Please note, I've never dealt with TLS certificates before.

[kevinmcconnell]

Re #45 -- sorry, that was a typo on my part! I've edited the description there to fix it, so it won't be confusing for anyone else who finds it.

Since you're using Kamal to deploy your app, we'll really need the support for custom certificates to land there. While you could run the kamal-proxy deploy ... commands manually, you would lose those settings on the next Kamal deploy. We can't keep a static name for the target because of the way that Kamal works: each deployment will start a new target so it can switch traffic to it without any downtime.

If you want to test this setup out by using kamal-proxy deploy ... until the feature lands in Kamal, I think you'll just need to ensure that your .pem & .key files are accessible to the proxy container. That may be the reason for the "unable to load certificate" error. Other than that it should work, but as I say, the next kamal deploy will unfortunately undo those settings again, so it's not really viable until Kamal has the ability to specify the certificate files itself.

[naveencom]

@kevinmcconnell I tried everything for too many hours (and I got headache as well). I've been getting Error: unable to load certificate error. I don't know what's the real problem. I also tried both in PEM format and ECC type certificate.

It would be helpful for newbies like me, if Kamal automatically provided certificates for wild card domains in next versions.

Thanks.