acme/autocert: check host policy before probing the cache

Avoid unnessecary cache probes for names that don't match the host policy. Fixes golang/go#71199 Change-Id: I11e8465b0416e960a549b0c0d74a622026c39931 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/651296 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]>
golang · Feb 22, 2025 · f66f74b · f66f74b
1 parent b0784b7
commit f66f74b
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
@@ -292,6 +292,10 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 	}
 
 	// regular domain
+	if err := m.hostPolicy()(ctx, name); err != nil {
+		return nil, err
+	}
+
 	ck := certKey{
 		domain: strings.TrimSuffix(name, "."), // golang.org/issue/18114
 		isRSA:  !supportsECDSA(hello),
@@ -305,9 +309,6 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 	}
 
 	// first-time
-	if err := m.hostPolicy()(ctx, name); err != nil {
-		return nil, err
-	}
 	cert, err = m.createCert(ctx, ck)
 	if err != nil {
 		return nil, err