diff options
Diffstat (limited to 'core/https')
| -rw-r--r-- | core/https/handshake.go | 6 | ||||
| -rw-r--r-- | core/https/https.go | 25 |
2 files changed, 4 insertions, 27 deletions
diff --git a/core/https/handshake.go b/core/https/handshake.go index 4c1fc22c3..1334b9ff4 100644 --- a/core/https/handshake.go +++ b/core/https/handshake.go @@ -76,11 +76,7 @@ func getCertDuringHandshake(name string, loadIfNecessary, obtainIfNecessary bool return Certificate{}, err } - // Name has to qualify for a certificate - if !HostQualifies(name) { - return cert, errors.New("hostname '" + name + "' does not qualify for certificate") - } - + // TODO(miek): deleted, tls will be enabled when a keyword is specified. // Obtain certificate from the CA return obtainOnDemandCertificate(name) } diff --git a/core/https/https.go b/core/https/https.go index 0deb88b86..7763c0a16 100644 --- a/core/https/https.go +++ b/core/https/https.go @@ -10,7 +10,6 @@ import ( "io/ioutil" "net" "os" - "strings" "github.com/miekg/coredns/server" "github.com/xenolf/lego/acme" @@ -118,7 +117,7 @@ func ObtainCerts(configs []server.Config, allowPrompts, proxyACME bool) error { var client *ACMEClient for _, cfg := range group { - if !HostQualifies(cfg.Host) || existingCertAndKey(cfg.Host) { + if existingCertAndKey(cfg.Host) { continue } @@ -184,7 +183,7 @@ func EnableTLS(configs []server.Config, loadCertificates bool) error { continue } configs[i].TLS.Enabled = true - if loadCertificates && HostQualifies(configs[i].Host) { + if loadCertificates { _, err := cacheManagedCertificate(configs[i].Host, false) if err != nil { return err @@ -227,25 +226,7 @@ func ConfigQualifies(cfg server.Config) bool { // we get can't certs for some kinds of hostnames, but // on-demand TLS allows empty hostnames at startup - (HostQualifies(cfg.Host) || cfg.TLS.OnDemand) -} - -// HostQualifies returns true if the hostname alone -// appears eligible for automatic HTTPS. For example, -// localhost, empty hostname, and IP addresses are -// not eligible because we cannot obtain certificates -// for those names. -func HostQualifies(hostname string) bool { - return hostname != "localhost" && // localhost is ineligible - - // hostname must not be empty - strings.TrimSpace(hostname) != "" && - - // cannot be an IP address, see - // https://community.letsencrypt.org/t/certificate-for-static-ip/84/2?u=mholt - // (also trim [] from either end, since that special case can sneak through - // for IPv6 addresses using the -host flag and with empty/no Caddyfile) - net.ParseIP(strings.Trim(hostname, "[]")) == nil + cfg.TLS.OnDemand } // existingCertAndKey returns true if the host has a certificate |