From 0ca3377e689e5303cf069ec95c4aa55e591ea6ad Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Sun, 15 Jan 2023 23:30:03 +0100
Subject: [PATCH] Allow to use certificate even if domain validation fails

- Currently if the canonical domain validations fails(either for
legitimate reasons or for bug reasons like the request to Gitea/Forgejo
failing) it will use main domain certificate, which in the case for
custom domains will warrant a security error as the certificate isn't
issued to the custom domain.
- This patch handles this situation more gracefully and instead only
disallow obtaining a certificate if the domain validation fails, so in
the case that a certificate still exists it can still be used even if
the canonical domain validation fails. There's a small side effect,
legitimate users that remove domains from `.domain` will still be able
to use the removed domain(as long as the DNS records exists) as long as
the certificate currently hold by pages-server isn't expired.
- Given the increased usage in custom domains that are resulting in
errors, I think it ways more than the side effect.
---
 server/certificates/certificates.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/certificates/certificates.go b/server/certificates/certificates.go
index 1aa90a0..0bf5672 100644
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@@ -70,6 +70,7 @@ func TLSConfig(mainDomainSuffix string,
 			}
 
 			targetOwner := ""
+			mayObtainCert := true
 			if strings.HasSuffix(sni, mainDomainSuffix) || strings.EqualFold(sni, mainDomainSuffix[1:]) {
 				// deliver default certificate for the main domain (*.codeberg.page)
 				sni = mainDomainSuffix
@@ -87,7 +88,9 @@ func TLSConfig(mainDomainSuffix string,
 					}
 					_, valid := targetOpt.CheckCanonicalDomain(giteaClient, sni, mainDomainSuffix, canonicalDomainCache)
 					if !valid {
-						sni = mainDomainSuffix
+						// We shouldn't obtain a certificate when we cannot check if the
+						// repository has specified this domain in the `.domains` file.
+						mayObtainCert = false
 					}
 				}
 			}
@@ -106,6 +109,10 @@ func TLSConfig(mainDomainSuffix string,
 					return nil, errors.New("won't request certificate for main domain, something really bad has happened")
 				}
 
+				if !mayObtainCert {
+					return nil, fmt.Errorf("won't request certificate for %q", sni)
+				}
+
 				tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits, certDB)
 				if err != nil {
 					return nil, err