bug: Only the first of multiple wildcard domain certificates works

[incubator4]

Current Behavior

I use cert-manager to create a multi wildcard domain cert like this:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: apisix-default-cert
  namespace: <namespace>
spec:
  dnsNames:
    - '*.staging.domain.com'
    - '*.prod.domain.com'
  issuerRef:
    kind: ClusterIssuer
    name: cloudflare
  secretName: apisix-default-cert

Then I would get a secret apisix-default-cert with two wildcard domains. And use cloud native way to inject secret to apisix by apisix ingress controllor TLS crd.

apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
  name: apisix-tls
  namespace: <namespace>
spec:
  hosts:
    - "*.staging.domain.com"
    - "*.prod.domain.com"
  secret:
    name: apisix-default-cert
    namespace: <some ns>

After this, I can see tls have been applied in apisix by call admin api

there is some reponse.

{"snis": ["*.staging.domain.com","*.prod.domain.com"]}

Then I try some host by curl but got error.

staging

this return error msg show ssl worked.

$ curl https://test.staging.domain.com
{"error_msg":"404 Route Not Found"}

prod

this return ssl error.

$ curl https://test.prod.domain.com
curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error

Expected Behavior

I thought both wildcard domain should take effect, instead of the first.
If multiple wildcard domain are not supported, neither apisix nor apisix-ingress-controller reported any errors. It might be denied at some stage of apisix or apisix-ingress-controller ?

Error Logs

No response

Steps to Reproduce

1. Create a multi wildcard domain cert.
2. Apply cert to apisix
3. Use other than the first domain name to access apisix

Environment

• APISIX version (run apisix version): 3.6.0
• APISIX Docker version: 3.6.0-debian
• OpenResty / Nginx version (run openresty -V or nginx -V): openresty/1.21.4.2
• APISIX Ingress Controller version: 1.7.0

[Revolyssup]

@incubator4 Can you also paste your ApisixRoute configuration?

[incubator4]

@incubator4 Can you also paste your ApisixRoute configuration?

Actually, I thought it should not be ApisixRoute configuration error，in my use case even I have not create any route. The Apisix would reply {"error_msg":"404 Route Not Found"}

This issue aimed to the certificate with multi sni, or should I create issue in root apisix repository？

[Revolyssup]

@incubator4 The error is that route not found because you haven't created a route for that host maybe. You must have a route configuration configured for prod.* already

[incubator4]

@incubator4 The error is that route not found because you haven't created a route for that host maybe. You must have a route configuration configured for prod.* already

yeah but I'm not talking about route error but tls error.

[Revolyssup]

@incubator4 Okay I get it. Let me take a look

[Revolyssup]

@incubator4 Can you share some logs from APISIX when you send these requests?

[Revolyssup]

@incubator4 If you only use prod and not staging in hosts, do you get the same error?

[incubator4]

@incubator4 If you only use prod and not staging in hosts, do you get the same error?

no， standalone wildcard domain would not get error

[github-actions]

This issue has been marked as stale due to 90 days of inactivity. It will be closed in 30 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.

[github-actions]

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.