Google Git
Sign in
go/crypto/f66f74b0a406b5f6909183531ace593857f1646c^!/.
commit
f66f74b0a406b5f6909183531ace593857f1646c
[log]
author
Roland Shoemaker <roland@golang.org>
Fri Feb 21 09:59:08 2025 -0800
committer
Gopher Robot <gobot@golang.org>
Fri Feb 21 16:31:38 2025 -0800
tree
069d149323534fc074c4d342187f69f548725e12
parent
b0784b7bfbe0b2c9a59afc1248ed3cb4b6652e85 [diff]
acme/autocert: check host policy before probing the cache

Avoid unnessecary cache probes for names that don't match the host
policy.

Fixes golang/go#71199

Change-Id: I11e8465b0416e960a549b0c0d74a622026c39931
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/651296
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index 6b4cdf4..ccd5b7e 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go

@@ -292,6 +292,10 @@
 	}
 
 	// regular domain
+	if err := m.hostPolicy()(ctx, name); err != nil {
+		return nil, err
+	}
+
 	ck := certKey{
 		domain: strings.TrimSuffix(name, "."), // golang.org/issue/18114
 		isRSA:  !supportsECDSA(hello),
@@ -305,9 +309,6 @@
 	}
 
 	// first-time
-	if err := m.hostPolicy()(ctx, name); err != nil {
-		return nil, err
-	}
 	cert, err = m.createCert(ctx, ck)
 	if err != nil {
 		return nil, err