Revise consolidation logic

2026-05-13 09:06:41 +00:00 · 2026-03-25 13:46:00 -06:00 · 2026-03-25 13:46:00 -06:00 · 884753a790
commit 884753a790
parent 2db3b802ca
2 changed files with 6 additions and 5 deletions
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@ -702,6 +702,7 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls
 	emptyAP := new(caddytls.AutomationPolicy)
 	for i := 0; i < len(aps); i++ {
 		emptyAP.SubjectsRaw = aps[i].SubjectsRaw
+		emptyAP.ManagersRaw = nil
 		if reflect.DeepEqual(aps[i], emptyAP) {
 			// AP is empty
 			emptyAPCount++
@ -711,6 +712,10 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls
 			emptyAP.SubjectsRaw = nil
 			if shadowIdx >= 0 {
 				emptyAP.SubjectsRaw = aps[shadowIdx].SubjectsRaw
+				// allow the later policy, which is likely for a wildcard, to have cert
+				// managers ("get_certificate"), since wildcards now cover specific
+				// subdomains by default, when configured (see discussion in #7559)
+				emptyAP.ManagersRaw = aps[shadowIdx].ManagersRaw
 			}

 			// if this is the last AP, we can delete it, since auto-https should
--- a/caddytest/integration/caddyfile_adapt/tls_automation_policies_12.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_12.caddyfiletest
@ -6,6 +6,7 @@
 	respond "wildcard"
 }

+# certificate for this subdomain is covered by wildcard above
 subdomain.test.local {
 	respond "subdomain"
 }
@ -77,11 +78,6 @@ subdomain.test.local {
 		"tls": {
 			"automation": {
 				"policies": [
-					{
-						"subjects": [
-							"subdomain.test.local"
-						]
-					},
 					{
 						"subjects": [
 							"*.test.local"