From 935b09de836d5ce001632193ac21c19abf0a57ed Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Fri, 30 Jan 2026 12:24:59 -0700
Subject: [PATCH] caddtls: Skip .ts.net domains for ECH (#6971)

As it is also a special case in our automatic HTTPS.
---
 modules/caddytls/ech.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/caddytls/ech.go b/modules/caddytls/ech.go
index a5b70d17d..a53344202 100644
--- a/modules/caddytls/ech.go
+++ b/modules/caddytls/ech.go
@@ -392,6 +392,10 @@ func (t *TLS) publishECHConfigs(logger *zap.Logger) error {
 			if publication.Domains == nil {
 				serverNamesSet = make(map[string]struct{}, len(t.serverNames))
 				for name := range t.serverNames {
+					// skip Tailscale names, a special case we also handle differently in our auto-HTTPS
+					if strings.HasSuffix(name, ".ts.net") {
+						continue
+					}
 					serverNamesSet[name] = struct{}{}
 				}
 			} else {