From 63631b1118db80f442a25a4766ba32fc8911d913 Mon Sep 17 00:00:00 2001
From: zhengkunwang <31820853+zhengkunwang223@users.noreply.github.com>
Date: Mon, 10 Mar 2025 18:29:06 +0800
Subject: [PATCH] feat: Add validation when applying wildcard domain
 certificates in HTTP mode (#8112)

---
 agent/app/service/website_ssl.go | 25 ++++++++++++++++++++-----
 agent/i18n/lang/zh.yaml          |  1 +
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/agent/app/service/website_ssl.go b/agent/app/service/website_ssl.go
index 4e0b32587..5b2a91a5e 100644
--- a/agent/app/service/website_ssl.go
+++ b/agent/app/service/website_ssl.go
@@ -154,6 +154,16 @@ func (w WebsiteSSLService) Create(create request.WebsiteSSLCreate) (request.Webs
 			domains = append(domains, domain)
 		}
 	}
+	if create.Provider == constant.Http {
+		if strings.Contains(create.PrimaryDomain, "*") {
+			return res, buserr.New("ErrWildcardDomain")
+		}
+		for _, domain := range domains {
+			if strings.Contains(domain, "*") {
+				return res, buserr.New("ErrWildcardDomain")
+			}
+		}
+	}
 	websiteSSL.Domains = strings.Join(domains, ",")
 
 	if create.Provider == constant.DNSAccount || create.Provider == constant.Http {
@@ -234,6 +244,11 @@ func (w WebsiteSSLService) ObtainSSL(apply request.WebsiteSSLApply) error {
 		return err
 	}
 
+	domains := []string{websiteSSL.PrimaryDomain}
+	if websiteSSL.Domains != "" {
+		domains = append(domains, strings.Split(websiteSSL.Domains, ",")...)
+	}
+
 	switch websiteSSL.Provider {
 	case constant.DNSAccount:
 		dnsAccount, err = websiteDnsRepo.GetFirst(repo.WithByID(websiteSSL.DnsAccountID))
@@ -251,6 +266,11 @@ func (w WebsiteSSLService) ObtainSSL(apply request.WebsiteSSLApply) error {
 			}
 			return err
 		}
+		for _, domain := range domains {
+			if strings.Contains(domain, "*") {
+				return buserr.New("ErrWildcardDomain")
+			}
+		}
 		if err := client.UseHTTP(path.Join(appInstall.GetPath(), "root")); err != nil {
 			return err
 		}
@@ -260,11 +280,6 @@ func (w WebsiteSSLService) ObtainSSL(apply request.WebsiteSSLApply) error {
 		}
 	}
 
-	domains := []string{websiteSSL.PrimaryDomain}
-	if websiteSSL.Domains != "" {
-		domains = append(domains, strings.Split(websiteSSL.Domains, ",")...)
-	}
-
 	var privateKey crypto.PrivateKey
 	if websiteSSL.PrivateKey == "" {
 		privateKey, err = certcrypto.GeneratePrivateKey(ssl.KeyType(websiteSSL.KeyType))
diff --git a/agent/i18n/lang/zh.yaml b/agent/i18n/lang/zh.yaml
index 4b6bef576..9e65f8766 100644
--- a/agent/i18n/lang/zh.yaml
+++ b/agent/i18n/lang/zh.yaml
@@ -157,6 +157,7 @@ ExecShellStart: "开始执行脚本"
 ExecShellSuccess: "脚本执行成功"
 StartUpdateSystemSSL: "开始更新系统证书"
 UpdateSystemSSLSuccess: "更新系统证书成功"
+ErrWildcardDomain: "HTTP 模式无法申请泛域名证书"
 
 #mysql
 ErrUserIsExist: "当前用户已存在，请重新输入"