[I] bug: Only the first of multiple wildcard domain certificates works [apisix-ingress-controller]

[via GitHub]

incubator4 opened a new issue, #2084:
URL: https://github.com/apache/apisix-ingress-controller/issues/2084

   ### Current Behavior
   
   I use cert-manager to create a multi wildcard domain cert like this:
   ```yaml
   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: apisix-default-cert
     namespace: <namespace>
   spec:
     dnsNames:
       - '*.staging.domain.com'
       - '*.prod.domain.com'
     issuerRef:
       kind: ClusterIssuer
       name: cloudflare
     secretName: apisix-default-cert
   ``` 
   Then I would get a secret `apisix-default-cert` with two wildcard domains. 
And use cloud native way to inject secret to apisix by apisix ingress 
controllor TLS crd.
   ```yaml
   apiVersion: apisix.apache.org/v2
   kind: ApisixTls
   metadata:
     name: apisix-tls
     namespace: <namespace>
   spec:
     hosts:
       - "*.staging.domain.com"
       - "*.prod.domain.com"
     secret:
       name: apisix-default-cert
       namespace: <some ns>
   ```
   After this, I can see tls have been applied in apisix by call admin api
   
   there is some reponse.
   ```json
   {"snis": ["*.staging.domain.com","*.prod.domain.com"]}
   ```
   
   Then I try some host by curl but got error.
   
   ### staging
   this return error msg show ssl worked.
   ```shell
   $ curl https://test.staging.domain.com
   {"error_msg":"404 Route Not Found"}
   ```
   
   ### prod
   this return ssl error.
   ```shel
   $ curl https://test.prod.domain.com
   curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 
alert internal error
   ```
   
   ### Expected Behavior
   
   I thought both wildcard domain should take effect, instead of the first.
   If multiple wildcard domain are not supported, neither apisix nor 
apisix-ingress-controller reported any errors. It might be denied at some stage 
of apisix or apisix-ingress-controller ?
   
   ### Error Logs
   
   _No response_
   
   ### Steps to Reproduce
   
   1. Create a multi wildcard domain cert.
   2. Apply cert to apisix
   3. Use other than the first domain name to access apisix
   
   ### Environment
   
   - APISIX version (run `apisix version`): 3.6.0
   - APISIX Docker version: 3.6.0-debian
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): 
openresty/1.21.4.2
   - APISIX Ingress Controller version: 1.7.0
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org