diff options
Diffstat (limited to 'caddyconfig')
| -rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index a721fee..e732957 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -213,7 +213,17 @@ func (st ServerType) buildTLSApp( if ap.Issuer == nil { var internal, external []string for _, s := range ap.Subjects { - if certmagic.SubjectQualifiesForPublicCert(s) { + if !certmagic.SubjectQualifiesForCert(s) { + return nil, warnings, fmt.Errorf("subject does not qualify for certificate: '%s'", s) + } + // we don't use certmagic.SubjectQualifiesForPublicCert() because of one nuance: + // names like *.*.tld that may not qualify for a public certificate are actually + // fine when used with OnDemand, since OnDemand (currently) does not obtain + // wildcards (if it ever does, there will be a separate config option to enable + // it that we would need to check here) since the hostname is known at handshake; + // and it is unexpected to switch to internal issuer when the user wants to get + // regular certificates on-demand for a class of certs like *.*.tld. + if !certmagic.SubjectIsIP(s) && !certmagic.SubjectIsInternal(s) && (strings.Count(s, "*.") < 2 || ap.OnDemand) { external = append(external, s) } else { internal = append(internal, s) |