caddyhttp: Don't attempt to manage Tailscale certs

If .ts.net domains are explicitly added to config, don't try to manage a cert for them (it will fail, and our implicit Tailscale module will get those certs at run-time).
caddyserver · Mar 2, 2022 · 6b385a3 · 6b385a3
1 parent 9b7cdfa
commit 6b385a3
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go
@@ -152,7 +152,9 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
 								return fmt.Errorf("%s: route %d, matcher set %d, matcher %d, host matcher %d: %v",
 									srvName, routeIdx, matcherSetIdx, matcherIdx, hostMatcherIdx, err)
 							}
-							if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) {
+							// only include domain if it's not explicitly skipped and it's not a Tailscale domain
+							// (the implicit Tailscale manager module will get those certs at run-time)
+							if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) && !isTailscaleDomain(d) {
 								serverDomainSet[d] = struct{}{}
 							}
 						}
@@ -688,4 +690,8 @@ func implicitTailscale(ctx caddy.Context) (caddytls.Tailscale, error) {
 	return ts, err
 }
 
+func isTailscaleDomain(name string) bool {
+	return strings.HasSuffix(strings.ToLower(name), ".ts.net")
+}
+
 type acmeCapable interface{ GetACMEIssuer() *caddytls.ACMEIssuer }