fix: restrict protocol for TLS Challenge.

Author: ldez

pkg/tls/tlsmanager.go

@@ -106,7 +106,7 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
 	tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 		domainToCheck := types.CanonicalDomain(clientHello.ServerName)
 
-		if m.TLSAlpnGetter != nil {
+		if m.TLSAlpnGetter != nil && isACMETLS(clientHello) {
 			cert, err := m.TLSAlpnGetter(domainToCheck)
 			if err != nil {
 				return nil, err
@@ -282,3 +282,13 @@ func buildDefaultCertificate(defaultCertificate *Certificate) (*tls.Certificate,
 	}
 	return &cert, nil
 }
+
+func isACMETLS(clientHello *tls.ClientHelloInfo) bool {
+	for _, proto := range clientHello.SupportedProtos {
+		if proto == tlsalpn01.ACMETLS1Protocol {
+			return true
+		}
+	}
+
+	return false
+}