Skip to content

Warn when typed domains aren't covered by the selected certificate#5717

Open
Grasfer wants to merge 2 commits into
NginxProxyManager:developfrom
Grasfer:upstream-pr/cert-mismatch-warning
Open

Warn when typed domains aren't covered by the selected certificate#5717
Grasfer wants to merge 2 commits into
NginxProxyManager:developfrom
Grasfer:upstream-pr/cert-mismatch-warning

Conversation

@Grasfer

@Grasfer Grasfer commented Jul 18, 2026

Copy link
Copy Markdown

Why

It's currently easy to save a proxy host with an SSL certificate that doesn't actually cover the typed domain names — nothing in the UI checks that the selected certificate matches. The mistake only surfaces later as browser certificate errors on the live host, which is confusing to debug because the UI showed no problem at save time.

This adds a non-blocking warning to the Proxy Host, Redirection Host, and 404 Host modals when one or more typed domains are not covered by the selected certificate (exact or one-label wildcard match). The warning appears under both the domain names field and the SSL certificate selector, since the two live on different tabs and the user may be looking at either one.

Deliberately non-blocking: there are legitimate reasons to save a mismatched pair (cert renewal in flight, DNS not cut over yet), so this informs rather than prevents. The warning stays silent when no certificate is selected ("None"), when requesting a new certificate inline, and while the certificate list is still loading — no false positives during normal flow.

Frontend-only; no API or backend changes. The domain/cert matching logic lives in a new CertificateMatch module with unit tests. Note: #5716 adds the same module for certificate auto-selection — whichever lands second rebases trivially.

Full disclosure: this was AI-written (boxes checked below) — I made it because I wanted the feature myself. It's been running on my own NPM instance and works for my day-to-day use, but that's the extent of the real-world testing, so review accordingly.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Code refactoring
  • API changes
  • Performance improvement
  • Test addition or update

AI Usage

  • AI was used to write this
  • AI was used to review this

grasfer and others added 2 commits July 18, 2026 14:33
Exact match preferred over one-label wildcard. Used by the certificate
mismatch warning; extracted so the warning stands alone.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Non-blocking warning in the Proxy, Redirection and 404 host modals,
shown under both the domain names field and the SSL certificate select
(the two live on different tabs). Reuses the auto-pick coverage logic
via a new uncoveredDomains() export; silent for None, "new" and while
certificates load. Fixes NginxProxyManager#3.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Grasfer

Grasfer commented Jul 18, 2026

Copy link
Copy Markdown
Author

As the AI mentioned i just wanted these features myself, i do not know coding at all, but it works as i wanted on my own system.
Feels bad(i dont know why) doing ai pr's but maybe someone else find this useful.

@nginxproxymanagerci

Copy link
Copy Markdown

Docker Image for build 1 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5717

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant