caddypki: Disable internal auto-CA when auto_https is disabled (fix #7211) (#7238)

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2025-11-01 22:32:23 +08:00 · 2025-09-05 17:41:06 +02:00
parent 38848f7f25
commit d9cc24f3df
2 changed files with 29 additions and 1 deletions
--- a/modules/caddyhttp/autohttps.go
+++ b/modules/caddyhttp/autohttps.go
@ -265,6 +265,22 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
 		}
 	}

+	// if all servers have auto_https disabled and no domains need certs,
+	// skip the rest of the TLS automation setup to avoid creating
+	// unnecessary PKI infrastructure and automation policies
+	allServersDisabled := true
+	for _, srv := range app.Servers {
+		if srv.AutoHTTPS == nil || !srv.AutoHTTPS.Disabled {
+			allServersDisabled = false
+			break
+		}
+	}
+
+	if allServersDisabled && len(uniqueDomainsForCerts) == 0 {
+		logger.Debug("all servers have automatic HTTPS disabled and no domains need certificates, skipping TLS automation setup")
+		return nil
+	}
+
 	// we now have a list of all the unique names for which we need certs
 	var internal, tailscale []string
 uniqueDomainsLoop: