From ddfef91ea5aa5ac08551eeb964d51a64db002cc5 Mon Sep 17 00:00:00 2001
From: "authentik-automation[bot]"
 <135050075+authentik-automation[bot]@users.noreply.github.com>
Date: Tue, 7 Apr 2026 02:08:50 +0200
Subject: [PATCH] internal: fix certificate fallback without SNI (cherry-pick
 #21417 to version-2026.2) (#21419)

internal: fix certificate fallback without SNI (#21417)

21412: fix falls back to RSA instead of configured other TLS Certificates for a brand/domain

Honor the other certificates other than RSA

Co-authored-by: Bapuji Koraganti <34816445+bkoragan@users.noreply.github.com>
---
 internal/web/web_tls.go | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/internal/web/web_tls.go b/internal/web/web_tls.go
index 7c4818ea1e..90371aae36 100644
--- a/internal/web/web_tls.go
+++ b/internal/web/web_tls.go
@@ -19,11 +19,7 @@ func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Config
 	}
 	return func(ch *tls.ClientHelloInfo) (*tls.Config, error) {
 		cfg := utils.GetTLSConfig()
-		if ch.ServerName == "" {
-			cfg.Certificates = []tls.Certificate{fallback}
-			return cfg, nil
-		}
-		if ws.ProxyServer != nil {
+		if ch.ServerName != "" && ws.ProxyServer != nil {
 			appCert := ws.ProxyServer.GetCertificate(ch.ServerName)
 			if appCert != nil {
 				cfg.Certificates = []tls.Certificate{*appCert}