From c0d1d451376a203a1aa18ef1e936197f6fda1ad7 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Wed, 27 Oct 2021 13:43:58 -0600 Subject: httpcaddyfile: Allow most IPs for public certs See corresponding public-ip-certs branch of CertMagic, which this requires. At time of writing this feature is not ready to ship, because no public CAs offer IP certs via ACME. --- caddyconfig/httpcaddyfile/tlsapp.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 0fe1fc5f2..35b555bf4 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -617,8 +617,7 @@ func automationPolicyShadows(i int, aps []*caddytls.AutomationPolicy) int { // that this allows domains with multiple wildcard levels like '*.*.example.com' to qualify // if the automation policy has OnDemand enabled (i.e. this function is more lenient). func subjectQualifiesForPublicCert(ap *caddytls.AutomationPolicy, subj string) bool { - return !certmagic.SubjectIsIP(subj) && - !certmagic.SubjectIsInternal(subj) && + return !certmagic.SubjectIsInternal(subj) && (strings.Count(subj, "*.") < 2 || ap.OnDemand) } -- cgit v1.2.3