Merge branch 'main' into xorm

2025-04-25 06:16:58 +00:00 · 2023-02-10 01:38:38 +00:00 · 2023-02-10 01:38:38 +00:00 · ab7cbbbc6d
commit ab7cbbbc6d
parent 321ce4f77e 8b1f497bc4
2 changed files with 46 additions and 34 deletions
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@ -68,6 +68,7 @@ func TLSConfig(mainDomainSuffix string,
 			}

 			targetOwner := ""
+			mayObtainCert := true
 			if strings.HasSuffix(sni, mainDomainSuffix) || strings.EqualFold(sni, mainDomainSuffix[1:]) {
 				// deliver default certificate for the main domain (*.codeberg.page)
 				sni = mainDomainSuffix
@ -85,7 +86,9 @@ func TLSConfig(mainDomainSuffix string,
 					}
 					_, valid := targetOpt.CheckCanonicalDomain(giteaClient, sni, mainDomainSuffix, canonicalDomainCache)
 					if !valid {
-						sni = mainDomainSuffix
+						// We shouldn't obtain a certificate when we cannot check if the
+						// repository has specified this domain in the `.domains` file.
+						mayObtainCert = false
 					}
 				}
 			}
@ -103,6 +106,10 @@ func TLSConfig(mainDomainSuffix string,
 					return nil, errors.New("won't request certificate for main domain, something really bad has happened")
 				}

+				if !mayObtainCert {
+					return nil, fmt.Errorf("won't request certificate for %q", sni)
+				}
+
 				tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits, certDB)
 				if err != nil {
 					return nil, err