Skip to content

Allow on-demand certs for the server's own infrastructure hosts#15

Merged
mechelon merged 2 commits into
mainfrom
fix/ondemand-tls-allow-server-host
Jun 25, 2026
Merged

Allow on-demand certs for the server's own infrastructure hosts#15
mechelon merged 2 commits into
mainfrom
fix/ondemand-tls-allow-server-host

Conversation

@mechelon

@mechelon mechelon commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Why

Follow-up to the on-demand TLS ask endpoint (/expose/can-issue-certificate, added in #14). On a canary deploy it refused the bare server hostname (ap-1.sharedwithexpose.com) and the admin subdomain, because neither is backed by a tunnel — but the wildcard certificate covers *.host, not the host itself, so the server host reaches the on-demand path. The refusal failed the control-connection TLS handshake (ECONNRESET), so clients could no longer connect.

What

  • Always allow infrastructure hosts — the server's own hostname and the admin subdomain — mirroring the allows the previous platform ask had. This fixes the canary regression.
  • Configurable allow-list — a new optional on_demand_tls.always_allow_hosts config for any additional non-tunnel hosts that should still obtain a certificate (e.g. a status page). Default empty.
  • Otherwise unchanged: a certificate is permitted only for a host with a live tunnel.
  • Trims the controller doc-comment (the full explanation goes into the SSL docs, handled separately).
// config/expose-server.php
'on_demand_tls' => [
    'always_allow_hosts' => [],
],

Safety

The endpoint stays inert until a Caddyfile points its on-demand ask at it, so merging changes nothing for existing setups. No expose-config switch is required to use the feature; activation lives entirely in Caddy.

Tests

tests/Feature/Server (56 passing), incl. certificate cases: refuse-without-tunnel, allow-with-tunnel, allow-server-host, allow-admin-subdomain, allow-configured-host.

mechelon added 2 commits June 25, 2026 10:50
@mechelon
Allow on-demand certs for the server's own infrastructure hosts
d1c1ba0 
The on-demand TLS ask endpoint refused the bare server hostname and the admin subdomain because neither is backed by a tunnel - but the wildcard cert covers *.host, not the host itself, so the server host reaches the on-demand path and broke the control-connection TLS handshake on a canary deploy.

Always allow the server hostname and admin subdomain (mirroring the previous platform ask), plus any hosts listed under the new on_demand_tls.always_allow_hosts config, in addition to hosts with a live tunnel. Adds tests for each case and trims the controller doc-comment (full docs live in the SSL docs).

Inert until a Caddyfile points its on-demand ask at the endpoint, so existing setups are unaffected.
@mechelon
Build binary
64b5d82
@mechelon mechelon merged commit ac29a94 into main Jun 25, 2026
12 checks passed
@mechelon mechelon deleted the fix/ondemand-tls-allow-server-host branch June 25, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mechelon