diff --git a/server/tls_conf.go b/server/tls_conf.go index 195d5309..5bb6e836 100644 --- a/server/tls_conf.go +++ b/server/tls_conf.go @@ -24,14 +24,15 @@ import ( // getTlsConfig returns a proper tls configuration given the options passed in. // The tls config may either procure certifiates from LetsEncrypt, from disk or be nil(for non-tls traffic) func getTlsConfig(o opts, logger log.Logger) (*tls.Config, error) { - if o.tls.email != "" { - // 1. use letsencrypt. - // - + if o.tls.enabled { if err := validateDomain(o.tls.domain); err != nil { return nil, err } + } + if o.tls.email != "" { + // 1. use letsencrypt. + // const letsEncryptProductionUrl = "https://acme-v02.api.letsencrypt.org/directory" _ = letsEncryptProductionUrl const letsEncryptStagingUrl = "https://acme-staging-v02.api.letsencrypt.org/directory" @@ -90,7 +91,7 @@ func getTlsConfig(o opts, logger log.Logger) (*tls.Config, error) { func validateDomain(domain string) error { if len(domain) < 1 { - return ongErrors.New("domain cannot be empty if email is also specified") + return ongErrors.New("domain cannot be empty if email/certFile is also specified") } if strings.Count(domain, "*") > 1 { return ongErrors.New("domain can only contain one wildcard character") @@ -98,6 +99,9 @@ func validateDomain(domain string) error { if strings.Contains(domain, "*") && !strings.HasPrefix(domain, "*") { return ongErrors.New("wildcard character should be a prefix") } + if strings.Contains(domain, "*") && domain[1] != '.' { + return ongErrors.New("wildcard character should be followed by a `.` character") + } if !strings.Contains(domain, "*") { // not wildcard diff --git a/server/tls_conf_test.go b/server/tls_conf_test.go index bd940ef3..d829e0c0 100644 --- a/server/tls_conf_test.go +++ b/server/tls_conf_test.go @@ -217,6 +217,7 @@ func TestValidateDomain(t *testing.T) { {"one.example.com", true}, // {"*.example.org", true}, + {"*example.org", false}, // wildcard character should be followed by a `.` character {"*.example.*", false}, {"example.*org", false}, //