Wildcard custom certificates cannot be used for modules configuration

[nrauso]

It is not possible to use a third-party wildcard SSL certificate provided by an external authority for configuring modules in NS8. When you upload a third-party certificate, the UI automatically detects the FQDNs included in it. In the case of a wildcard certificate, this means that all FQDNs in the DNS namespace (e.g., *.mydomain.org) are recognized:

However, this "special name" cannot be applied to any of the modules you install on an NS8 node, and the TLS certificates UI does not offer a way to manage this configuration.
Additionally, the settings page for any NS8 module includes an option to manage an LE certificate but does not allow the management of third-party certificates:

In conclusion, there is no way to manage a third-party wildcard SSL certificate within NS8 (and as far as I know, 99% of third-party certificates purchased from external authorities are wildcard certificates!).

At the moment, the workaround is to manually insert the necessary DNS names along with the private key and certificate from the external authority into the redis database.

Components

core:2.9.1
traefik:2.2.3

[Amygos]

Uploading a custom wildcard certificate prevents all subdomains from obtaining Let's Encrypt (LE) certificates.

Example:

[root@server ~]# cat  /home/traefik1/.config/state/configs/certificate-example.domain.com.yml 
http:
  routers:
    certificate-example.domain.com:
      entrypoints: https
      service: ping@internal
      rule: Host(`example.domain.com`) && Path(`//8b38cb85-451a-4795-a706-4b544d9cfd36`)
      priority: '1'
      tls:
        domains:
        - main: example.domain.com
        certresolver: acmeServer

Running the command to list certificates with api-cli shows that the example.domain.com subdomain fails to obtain its certificate, while others succeed:

[root@server ~]# api-cli run module/traefik1/list-certificates -d '{"expand_list":true}' | jq
Warning: using user "cluster" credentials from the environment
[
  {
    "fqdn": "mail.service.domain.com",
    "type": "internal",
    "obtained": true
  },
  {
    "fqdn": "example.domain.com",
    "type": "internal",
    "obtained": false
  },
  ...
  {
    "fqdn": "*.domain.com",
    "type": "custom",
    "obtained": true
  }
]

Testing port 443 returns the wildcard certificate instead of obtaining an LE certificate:

[user@local ~]$ curl -v https://example.domain.com
...
* Server certificate:
*  subject: CN=*.domain.com
*  start date: May 21 00:00:00 2024 GMT
*  expire date: Jan 31 23:59:59 2025 GMT
*  subjectAltName: host "example.domain.com" matched cert's "*.domain.com"

Problem:

• Traefik doesn't request an LE certificate for subdomains if a wildcard certificate is installed.
• acme.json is not updated, and the event of obtaining a certificate is never triggered.
• If a module does not use port 443, it cannot acquire the certificate automatically.