1 files changed, 11 insertions, 9 deletions

diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 12d25ad..146eed4 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -137,7 +137,7 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 			continue
 		}
 		t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{
-			IssuerRaw: json.RawMessage(`{"module":"internal"}`),
+			IssuersRaw: []json.RawMessage{json.RawMessage(`{"module":"internal"}`)},
 		}
 		err = t.Automation.defaultInternalAutomationPolicy.Provision(t)
 		if err != nil {
@@ -303,20 +303,22 @@ func (t *TLS) Manage(names []string) error {
 
 // HandleHTTPChallenge ensures that the HTTP challenge is handled for the
 // certificate named by r.Host, if it is an HTTP challenge request. It
-// requires that the automation policy for r.Host has an issue of type
-// *certmagic.ACMEManager.
+// requires that the automation policy for r.Host has an issuer of type
+// *certmagic.ACMEManager, or one that is ACME-enabled (GetACMEIssuer()).
 func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool {
 	if !certmagic.LooksLikeHTTPChallenge(r) {
 		return false
 	}
+	// try all the issuers until we find the one that initiated the challenge
 	ap := t.getAutomationPolicyForName(r.Host)
-	if ap.magic.Issuer == nil {
-		return false
-	}
 	type acmeCapable interface{ GetACMEIssuer() *ACMEIssuer }
-	if am, ok := ap.magic.Issuer.(acmeCapable); ok {
-		iss := am.GetACMEIssuer()
-		return certmagic.NewACMEManager(iss.magic, iss.template).HandleHTTPChallenge(w, r)
+	for _, iss := range ap.magic.Issuers {
+		if am, ok := iss.(acmeCapable); ok {
+			iss := am.GetACMEIssuer()
+			if certmagic.NewACMEManager(iss.magic, iss.template).HandleHTTPChallenge(w, r) {
+				return true
+			}
+		}
 	}
 	return false
 }