From 794af40f68e05a1ffb8792ddb87c6f1a7c02cae1 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Sat, 17 Feb 2024 06:27:30 -0800
Subject: [PATCH] ipn/ipnlocal: remove ancient transition mechanism for https
 certs

And confusing error message that duplicated the valid cert domains.

Fixes tailscale/corp#15876

Change-Id: I098bc45d83c8d1e0a233dcdf3188869cce66e128
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 ipn/ipnlocal/cert.go | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/ipn/ipnlocal/cert.go b/ipn/ipnlocal/cert.go
index aa4e2bcc7..ce8c0463d 100644
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -688,23 +688,8 @@ func checkCertDomain(st *ipnstate.Status, domain string) error {
 			return nil
 		}
 	}
-	// Transitional way while server doesn't yet populate CertDomains: also permit the client
-	// attempting Self.DNSName.
-	okay := st.CertDomains[:len(st.CertDomains):len(st.CertDomains)]
-	if st.Self != nil {
-		if v := strings.Trim(st.Self.DNSName, "."); v != "" {
-			if v == domain {
-				return nil
-			}
-			okay = append(okay, v)
-		}
-	}
-	switch len(okay) {
-	case 0:
+	if len(st.CertDomains) == 0 {
 		return errors.New("your Tailscale account does not support getting TLS certs")
-	case 1:
-		return fmt.Errorf("invalid domain %q; only %q is permitted", domain, okay[0])
-	default:
-		return fmt.Errorf("invalid domain %q; must be one of %q", domain, okay)
 	}
+	return fmt.Errorf("invalid domain %q; must be one of %q", domain, st.CertDomains)
 }