From 7817dda43fc324463506cd9014dde7dd25f1c82e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Fri, 13 Mar 2026 13:08:18 +0100
Subject: [PATCH] [ACME] Skip subdomains covered by wildcards (DNS-01 challenge
 only)

---
 data/Dockerfiles/acme/acme.sh      | 8 +++-----
 data/Dockerfiles/acme/functions.sh | 9 ++++++++-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/data/Dockerfiles/acme/acme.sh b/data/Dockerfiles/acme/acme.sh
index 6472688a..271de4fc 100755
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -323,11 +323,9 @@ while true; do
 
   # Check if MAILCOW_HOSTNAME is covered by a wildcard in ADDITIONAL_SAN
   MAILCOW_HOSTNAME_COVERED=0
-  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} && ! -z ${ADDITIONAL_SAN} ]]; then
-    # Extract parent domain from MAILCOW_HOSTNAME (e.g., mail.example.com -> example.com)
-    MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
-    # Check if ADDITIONAL_SAN contains a wildcard for this parent domain
-    if [[ "${ADDITIONAL_SAN}" == *"*.${MAILCOW_PARENT_DOMAIN}"* ]]; then
+  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} ]]; then
+    if is_covered_by_wildcard "${VALIDATED_MAILCOW_HOSTNAME}"; then
+      MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
       log_f "MAILCOW_HOSTNAME '${VALIDATED_MAILCOW_HOSTNAME}' is covered by wildcard '*.${MAILCOW_PARENT_DOMAIN}' - skipping explicit hostname"
       MAILCOW_HOSTNAME_COVERED=1
     fi
diff --git a/data/Dockerfiles/acme/functions.sh b/data/Dockerfiles/acme/functions.sh
index bc4691ec..707f4695 100644
--- a/data/Dockerfiles/acme/functions.sh
+++ b/data/Dockerfiles/acme/functions.sh
@@ -136,12 +136,19 @@ verify_challenge_path(){
   fi
 }
 
-# Check if a domain is covered by a wildcard in ADDITIONAL_SAN
+# Check if a domain is covered by a wildcard (*.example.com) in ADDITIONAL_SAN
 # Usage: is_covered_by_wildcard "subdomain.example.com"
 # Returns: 0 if covered, 1 if not covered
+# Note: Only returns 0 (covered) when DNS-01 challenge is enabled,
+#       as wildcards cannot be validated with HTTP-01 challenge
 is_covered_by_wildcard() {
   local DOMAIN=$1
 
+  # Only skip if DNS challenge is enabled (wildcards require DNS-01)
+  if [[ ${ACME_DNS_CHALLENGE} != "y" ]]; then
+    return 1
+  fi
+
   # Return early if no ADDITIONAL_SAN is set
   if [[ -z ${ADDITIONAL_SAN} ]]; then
     return 1