diff --git a/server/certificates/certificates.go b/server/certificates/certificates.go
index 1aa90a0..0bf5672 100644
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@@ -70,6 +70,7 @@ func TLSConfig(mainDomainSuffix string,
 			}
 
 			targetOwner := ""
+			mayObtainCert := true
 			if strings.HasSuffix(sni, mainDomainSuffix) || strings.EqualFold(sni, mainDomainSuffix[1:]) {
 				// deliver default certificate for the main domain (*.codeberg.page)
 				sni = mainDomainSuffix
@@ -87,7 +88,9 @@ func TLSConfig(mainDomainSuffix string,
 					}
 					_, valid := targetOpt.CheckCanonicalDomain(giteaClient, sni, mainDomainSuffix, canonicalDomainCache)
 					if !valid {
-						sni = mainDomainSuffix
+						// We shouldn't obtain a certificate when we cannot check if the
+						// repository has specified this domain in the `.domains` file.
+						mayObtainCert = false
 					}
 				}
 			}
@@ -106,6 +109,10 @@ func TLSConfig(mainDomainSuffix string,
 					return nil, errors.New("won't request certificate for main domain, something really bad has happened")
 				}
 
+				if !mayObtainCert {
+					return nil, fmt.Errorf("won't request certificate for %q", sni)
+				}
+
 				tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits, certDB)
 				if err != nil {
 					return nil, err