1 What Pangolin Does
Pangolin is a lightweight edge gateway built to work with Tailscale Funnel:
- Exposes internal services over HTTPS on port 443
- Automatically issues Let’s Encrypt certificates
- Adds optional OAuth 2 / OIDC log-in screens
- Routes by hostname or path from a clean web dashboard
Minimal example:
~~~bash pangolin service add grafana http://localhost:3000 tailscale funnel enable grafana ~~~
You can then visit:
https://grafana.apps.example.com
2 The Wildcard Collision
We already had Coolify managing our apps at *.example.com with its own wildcard TLS certificate.
When we pointed DNS for Pangolin like this:
| Name | Type | Value (IP) |
|---|---|---|
pangolin | A | 203.0.113.10 |
*.pangolin | A | 203.0.113.10 |
https://dashboard.pangolin.example.com
threw a TLS error because Coolify’s certificate for *.example.com hijacked the handshake. A wildcard certificate only matches one label—so pangolin.example.com still fell under Coolify’s umbrella.
3 The Fix: One Level Deeper
Escape the wildcard by adding another dot:
- Choose a deeper namespace
- Update DNS
| Name | Type | Value (IP) | Proxy |
|---|---|---|---|
pangolin.edge | A | 203.0.113.10 | DNS-only |
*.pangolin.edge | A | 203.0.113.10 | DNS-only |
- Tell Pangolin
Systemd (/etc/pangolin/config.toml):
~~~toml [server] base_url = “https://dashboard.pangolin.edge.example.com” ~~~
- Restart Pangolin and re-enable Funnel:
~~~bash docker compose restart ~~~
Because Coolify’s cert (*.example.com) cannot match *.edge.example.com, Pangolin now issues its own Let’s Encrypt cert without interference.
Final Result
Coolify continues to serve all apps under *.example.com, while Pangolin securely fronts internal tools at *.pangolin.edge.example.com, each with its own validated TLS certificate and zero overlap.