From f66f74b0a406b5f6909183531ace593857f1646c Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Fri, 21 Feb 2025 09:59:08 -0800
Subject: acme/autocert: check host policy before probing the cache

Avoid unnessecary cache probes for names that don't match the host
policy.

Fixes golang/go#71199

Change-Id: I11e8465b0416e960a549b0c0d74a622026c39931
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/651296
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
 acme/autocert/autocert.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index 6b4cdf4..ccd5b7e 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go
@@ -292,6 +292,10 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 	}
 
 	// regular domain
+	if err := m.hostPolicy()(ctx, name); err != nil {
+		return nil, err
+	}
+
 	ck := certKey{
 		domain: strings.TrimSuffix(name, "."), // golang.org/issue/18114
 		isRSA:  !supportsECDSA(hello),
@@ -305,9 +309,6 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 	}
 
 	// first-time
-	if err := m.hostPolicy()(ctx, name); err != nil {
-		return nil, err
-	}
 	cert, err = m.createCert(ctx, ck)
 	if err != nil {
 		return nil, err
-- 
cgit v1.3