From 6b385a36f9750b7a66300bbb2167ea5a4d26a61f Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Wed, 2 Mar 2022 13:42:38 -0700 Subject: [PATCH] caddyhttp: Don't attempt to manage Tailscale certs If .ts.net domains are explicitly added to config, don't try to manage a cert for them (it will fail, and our implicit Tailscale module will get those certs at run-time). --- modules/caddyhttp/autohttps.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go index 3e38d1b3..eb66114c 100644 --- a/modules/caddyhttp/autohttps.go +++ b/modules/caddyhttp/autohttps.go @@ -152,7 +152,9 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er return fmt.Errorf("%s: route %d, matcher set %d, matcher %d, host matcher %d: %v", srvName, routeIdx, matcherSetIdx, matcherIdx, hostMatcherIdx, err) } - if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) { + // only include domain if it's not explicitly skipped and it's not a Tailscale domain + // (the implicit Tailscale manager module will get those certs at run-time) + if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) && !isTailscaleDomain(d) { serverDomainSet[d] = struct{}{} } } @@ -688,4 +690,8 @@ func implicitTailscale(ctx caddy.Context) (caddytls.Tailscale, error) { return ts, err } +func isTailscaleDomain(name string) bool { + return strings.HasSuffix(strings.ToLower(name), ".ts.net") +} + type acmeCapable interface{ GetACMEIssuer() *caddytls.ACMEIssuer }