aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddyhttp/autohttps.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddyhttp/autohttps.go')
-rw-r--r--modules/caddyhttp/autohttps.go16
1 files changed, 13 insertions, 3 deletions
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go
index ccb610327..4449e1f4d 100644
--- a/modules/caddyhttp/autohttps.go
+++ b/modules/caddyhttp/autohttps.go
@@ -320,11 +320,21 @@ uniqueDomainsLoop:
}
}
- // if no automation policy exists for the name yet, we
- // will associate it with an implicit one
+ // if no automation policy exists for the name yet, we will associate it with an implicit one;
+ // we handle tailscale domains specially, and we also separate out identifiers that need the
+ // internal issuer (self-signed certs); certmagic does not consider public IP addresses to be
+ // disqualified for public certs, because there are public CAs that will issue certs for IPs.
+ // However, with auto-HTTPS, many times there is no issuer explicitly defined, and the default
+ // issuers do not (currently, as of 2024) issue IP certificates; so assign all IP subjects to
+ // the internal issuer when there are no explicit automation policies
+ shouldUseInternal := func(ident string) bool {
+ usingDefaultIssuersAndIsIP := certmagic.SubjectIsIP(ident) &&
+ (app.tlsApp == nil || app.tlsApp.Automation == nil || len(app.tlsApp.Automation.Policies) == 0)
+ return !certmagic.SubjectQualifiesForPublicCert(d) || usingDefaultIssuersAndIsIP
+ }
if isTailscaleDomain(d) {
tailscale = append(tailscale, d)
- } else if !certmagic.SubjectQualifiesForPublicCert(d) {
+ } else if shouldUseInternal(d) {
internal = append(internal, d)
}
}