Merge pull request #7135 from mailcow/staging

Update 2026-03a

data/Dockerfiles/acme/acme.sh

@@ -323,11 +323,9 @@ while true; do
 
   # Check if MAILCOW_HOSTNAME is covered by a wildcard in ADDITIONAL_SAN
   MAILCOW_HOSTNAME_COVERED=0
-  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} && ! -z ${ADDITIONAL_SAN} ]]; then
-    # Extract parent domain from MAILCOW_HOSTNAME (e.g., mail.example.com -> example.com)
-    MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
-    # Check if ADDITIONAL_SAN contains a wildcard for this parent domain
-    if [[ "${ADDITIONAL_SAN}" == *"*.${MAILCOW_PARENT_DOMAIN}"* ]]; then
+  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} ]]; then
+    if is_covered_by_wildcard "${VALIDATED_MAILCOW_HOSTNAME}"; then
+      MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
       log_f "MAILCOW_HOSTNAME '${VALIDATED_MAILCOW_HOSTNAME}' is covered by wildcard '*.${MAILCOW_PARENT_DOMAIN}' - skipping explicit hostname"
       MAILCOW_HOSTNAME_COVERED=1
     fi

data/Dockerfiles/acme/functions.sh

@@ -136,12 +136,19 @@ verify_challenge_path(){
   fi
 }
 
-# Check if a domain is covered by a wildcard in ADDITIONAL_SAN
+# Check if a domain is covered by a wildcard (*.example.com) in ADDITIONAL_SAN
 # Usage: is_covered_by_wildcard "subdomain.example.com"
 # Returns: 0 if covered, 1 if not covered
+# Note: Only returns 0 (covered) when DNS-01 challenge is enabled,
+#       as wildcards cannot be validated with HTTP-01 challenge
 is_covered_by_wildcard() {
   local DOMAIN=$1
 
+  # Only skip if DNS challenge is enabled (wildcards require DNS-01)
+  if [[ ${ACME_DNS_CHALLENGE} != "y" ]]; then
+    return 1
+  fi
+
   # Return early if no ADDITIONAL_SAN is set
   if [[ -z ${ADDITIONAL_SAN} ]]; then
     return 1