1 What Pangolin Does

Pangolin is a lightweight edge gateway built to work with Tailscale Funnel:

  • Exposes internal services over HTTPS on port 443
  • Automatically issues Let’s Encrypt certificates
  • Adds optional OAuth 2 / OIDC log-in screens
  • Routes by hostname or path from a clean web dashboard

Minimal example:

1
2

pangolin service add grafana http://localhost:3000
tailscale funnel enable grafana

You can then visit:

https://grafana.apps.example.com

2 The Wildcard Collision

We already had Coolify managing our apps at *.example.com with its own wildcard TLS certificate.

When we pointed DNS for Pangolin like this:

NameTypeValue (IP)
pangolinA203.0.113.10
*.pangolinA203.0.113.10

https://dashboard.pangolin.example.com

threw a TLS error because Coolify’s certificate for *.example.com hijacked the handshake. A wildcard certificate only matches one label—so pangolin.example.com still fell under Coolify’s umbrella.

3 The Fix: One Level Deeper

Escape the wildcard by adding another dot:

  1. Choose a deeper namespace
1
2

pangolin.edge.example.com
*.pangolin.edge.example.com
  1. Update DNS
NameTypeValue (IP)Proxy
pangolin.edgeA203.0.113.10DNS-only
*.pangolin.edgeA203.0.113.10DNS-only
  1. Tell Pangolin

Systemd (/etc/pangolin/config.toml):

1
2

[server]
base_url = "https://dashboard.pangolin.edge.example.com"
  1. Restart Pangolin and re-enable Funnel:
1

docker compose restart

Because Coolify’s cert (*.example.com) cannot match *.edge.example.com, Pangolin now issues its own Let’s Encrypt cert without interference.

Final Result

Coolify continues to serve all apps under *.example.com, while Pangolin securely fronts internal tools at *.pangolin.edge.example.com, each with its own validated TLS certificate and zero overlap.