From 34c1e44c7e0166228269f69e72d0dba85cabab52 Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Fri, 21 Apr 2023 12:37:32 -0400
Subject: [PATCH] tls: wildcard catch-all cert must be at the end of cert list
 (#4119)

---
 .gitignore                      | 1 +
 config/envoyconfig/listeners.go | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 51d82c770..dbbdfa7af 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 .*.yaml
 .*.json
 .*.rego
+*.jq
 pem
 env
 coverage.txt
diff --git a/config/envoyconfig/listeners.go b/config/envoyconfig/listeners.go
index 954802a88..f234829f8 100644
--- a/config/envoyconfig/listeners.go
+++ b/config/envoyconfig/listeners.go
@@ -114,9 +114,7 @@ func getAllCertificates(cfg *config.Config) ([]tls.Certificate, error) {
 		return nil, fmt.Errorf("error getting wildcard certificate: %w", err)
 	}
 
-	// wildcard certificate must be first so that it is used as the default certificate
-	// when no SNI matches
-	return append([]tls.Certificate{*wc}, allCertificates...), nil
+	return append(allCertificates, *wc), nil
 }
 
 func (b *Builder) buildTLSSocket(ctx context.Context, cfg *config.Config, certs []tls.Certificate) (*envoy_config_core_v3.TransportSocket, error) {