# Pangolin

Pangolin Install and Setup Guide

# Pangolin Install Guide

Pangolin is

Most of the guide is from their doc page, however, there is a part missing for making proxy redirect work properly.

[Pangolin Quick Install Guide](https://docs.digpangolin.com/self-host/quick-install)

[VPS Hardening Security Guide](https://docs.cyberpaw.org/books/ssh-commands-and-guides/page/linux-server-hardening-vps)

#####  

##### Pangolin Install Guide

This will resolve an issue of [https://pangolin.cyberpaw.org/auth/initial-setup](https://pangolin.cyberpaw.org/auth/initial-setup) site not being reachable, or getting Invalid ssl cert error.

1. Login trough SSH to VPS server that is preset with necessary security steps
2. Download the installer

```bash
curl -fsSL https://digpangolin.com/get-installer.sh | bash
```

3. Run the installer

```bash
sudo ./installer
```

4. Once installer is finished Configure basic Settings from prompts. The installer will prompt you for essential configuration: 
    1. Base Domain: Enter your root domain without subdomains (e.g., example.com)
    2. Dashboard Domain: Press Enter to accept the default pangolin.example.com or enter a custom domain
    3. Let’s Encrypt Email: Provide an email for SSL certificates and admin login
    4. Tunneling: Choose whether to install Gerbil for tunneled connections (default: yes). You can run Pangolin without tunneling. It will function as a standard reverse proxy.
    5. Email Configuration: Say no, if you don't have SMTP server set up
    6. CrowdSec: say Yes to install and self manager CrowdSec
5. Once installer is ready try to go to:

```
https://pangolin.example.com/auth/initial-setup
```

If you get Invalid SSL Certificate error or Site can't be reached continue with steps below

##### Traefik dynamic\_config.yml Change

1. Navigate to Traefik Config Directory

```bash
cd /config/traefik
```

2. Backup existing file

```bash
cp dynamic_config.yml dynamic_config.yml.bak
```

3. Edit yml

```bash
nano dynamic_config.yml
```

4. Add new line in router part

```yaml
    setup-router:
      rule: "Host(`pangolin.cyberpaw.org`) && PathPrefix(`/auth`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
```

5. Save and Exit
6. Restart traefik container

```bash
docker restart <traefik_container_name>
```

Now try to go to initial setup and follow initial steps.

# Post Install ACME Falining Fix

<span style="white-space: pre-wrap;">This guide walks you through the exact steps to diagnose and fix ACME certificate issues during a Pangolin installation. These steps cover the most common real‑world causes: DNS mismatches, blocked ports, Traefik misconfiguration, and redirect loops. Follow the checklist in order—each step rules out a specific failure point so you can quickly identify what’s wrong and get ACME issuing certificates again.</span>

<div id="bkmrk-" style="white-space: normal;">  
</div>### Troubleshoot Steps

#### <span style="white-space: normal;">Verify DNS is pointing to the correct server</span>

<span style="white-space: pre-wrap;">ACME will always fail if DNS points to the wrong IP.</span>

- <span style="white-space: pre-wrap;">`A yourdomain.com → <your VPS IP>`</span>
- <span style="white-space: pre-wrap;">`A *.yourdomain.com → <your VPS IP>`</span>

1. <span style="white-space: pre-wrap;">Check your server’s public IP and make sure it matches your DNS records</span>

```bash
curl ifconfig.me
```

<div id="bkmrk--1" style="white-space: normal;"></div>#### <span style="white-space: normal;">Test port 80 from outside the server</span>

<span style="white-space: pre-wrap;">ACME HTTP‑01 requires port 80 to be reachable publicly.</span>

1. <span style="white-space: pre-wrap;">From your laptop or phone:</span>

<div id="bkmrk--2" style="white-space: normal;"><div style="white-space: normal;">  
</div></div>```bash
curl -I http://yourdomain.com
```

<span style="white-space: pre-wrap;">Interpret the result:</span>

- <span style="white-space: pre-wrap;">**200 / 301 / 404** → Port 80 is open (good)</span>
- <span style="white-space: pre-wrap;">**Timeout** → Firewall or provider is blocking port 80</span>
- <span style="white-space: pre-wrap;">**Connection refused** → Traefik is not listening on port 80</span>

<div id="bkmrk--3" style="white-space: normal;">  
</div>#### <span style="white-space: normal;">Check VPS firewall (UFW)</span>

<div id="bkmrk-bash" style="white-space: normal;"><div style="white-space: normal;"><div style="white-space: normal;">  
</div></div><div class="rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900"><div style="white-space: pre;">  
</div></div></div>```bash
sudo ufw status
```

<div id="bkmrk-code" style="white-space: normal;"><div style="white-space: normal;"><div style="white-space: normal;"><span style="white-space: pre-wrap;">You should see</span></div></div><div class="rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900"><div style="white-space: pre;">  
</div></div></div>```bash
80/tcp   ALLOW
443/tcp  ALLOW
```

<span style="white-space: pre-wrap;">If missing:</span>

```bash
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
```

<div id="bkmrk--4" style="white-space: normal;">  
</div>#### <span style="white-space: normal;">Check hosting provider firewall</span>

<span style="white-space: pre-wrap;">For example Hetzner has an external firewall that overrides UFW</span>

1. <span style="white-space: pre-wrap;">Go to your VPS dashboard</span>
2. <span style="white-space: pre-wrap;"><span style="white-space: pre-wrap;">Server → Networking → Firewalls</span></span>

<div id="bkmrk-code-1" style="white-space: normal;"></div>```bash
TCP 80
TCP 443
```

<span style="white-space: pre-wrap;">If port 80 is missing → ACME will fail every time.</span>

#### <span style="white-space: normal;">Confirm Traefik is listening on port 80</span>

<div id="bkmrk-bash-2" style="white-space: normal;"><div style="white-space: normal;"><div style="white-space: normal;">1. <span style="white-space: pre-wrap;">SSH into server and run following command</span>

</div></div></div>```bash
sudo ss -tulpn | grep :80
```

<span style="white-space: pre-wrap;">Expected:</span>

```bash
docker-proxy ... LISTEN ... :80
```

<span style="white-space: pre-wrap;">If nothing is listening → Traefik didn’t bind to port 80.</span>

#### <span style="white-space: normal;">Disable HTTP→HTTPS redirect during ACME</span>

<span style="white-space: pre-wrap;">This is the most common Traefik issue.</span>

<span style="white-space: pre-wrap;">If Traefik redirects ACME requests to HTTPS before a certificate exists, ACME fails.</span>

1. <span style="white-space: pre-wrap;">SSH into the server, and go to dynamic-compose.yaml. Usually in config &gt; traefik folder</span>

```yaml
main-app-router-redirect:
  entryPoints:
    - web
  middlewares:
    - redirect-to-https
```

2. <span style="white-space: pre-wrap;"><span style="white-space: pre-wrap;">Temporarily comment out the redirect:</span></span>

```yaml
# - redirect-to-https
```

3. <span style="white-space: pre-wrap;">Restart Traefik:</span>

```bash
sudo docker compose restart traefik
```

<div id="bkmrk--7" style="white-space: normal;">Uncomment the redirect after successful redirect</div>#### <span style="white-space: normal;">Ensure ACME is using HTTP‑01 on the correct entrypoint</span>

<span style="white-space: pre-wrap;">In traefik onfig yaml</span>

```yaml
httpChallenge:
  entryPoint: web
```

<span style="white-space: pre-wrap;">Entrypoints must be:</span>

```yaml
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
```