diff --git a/go.mod b/go.mod
index 537fbb3..53e7d5b 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.22.0
 
 require (
 	github.com/mjl-/adns v0.0.0-20250321173553-ab04b05bdfea
-	github.com/mjl-/autocert v0.0.0-20231214125928-31b7400acb05
+	github.com/mjl-/autocert v0.0.0-20250321204043-abab2b936e31
 	github.com/mjl-/bstore v0.0.6
 	github.com/mjl-/flate v0.0.0-20250221133712-6372d09eb978
 	github.com/mjl-/sconf v0.0.7
diff --git a/go.sum b/go.sum
index f24b6c8..a27a3b0 100644
--- a/go.sum
+++ b/go.sum
@@ -26,8 +26,8 @@ github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvls
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/mjl-/adns v0.0.0-20250321173553-ab04b05bdfea h1:8dftsVL1tHhRksXzFZRhSJ7gSlcy/t87Nvucs3JnTGE=
 github.com/mjl-/adns v0.0.0-20250321173553-ab04b05bdfea/go.mod h1:rWZMqGA2HoBm5b5q/A5J8u1sSVuEYh6zBz9tMoVs+RU=
-github.com/mjl-/autocert v0.0.0-20231214125928-31b7400acb05 h1:s6ay4bh4tmpPLdxjyeWG45mcwHfEluBMuGPkqxHWUJ4=
-github.com/mjl-/autocert v0.0.0-20231214125928-31b7400acb05/go.mod h1:taMFU86abMxKLPV4Bynhv8enbYmS67b8LG80qZv2Qus=
+github.com/mjl-/autocert v0.0.0-20250321204043-abab2b936e31 h1:6MFGOLPGf6VzHWkKv8waSzJMMS98EFY2LVKPRHffCyo=
+github.com/mjl-/autocert v0.0.0-20250321204043-abab2b936e31/go.mod h1:taMFU86abMxKLPV4Bynhv8enbYmS67b8LG80qZv2Qus=
 github.com/mjl-/bstore v0.0.6 h1:ntlu9MkfCkpm2XfBY4+Ws4KK9YzXzewr3+lCueFB+9c=
 github.com/mjl-/bstore v0.0.6/go.mod h1:/cD25FNBaDfvL/plFRxI3Ba3E+wcB0XVOS8nJDqndg0=
 github.com/mjl-/flate v0.0.0-20250221133712-6372d09eb978 h1:Eg5DfI3/00URzGErujKus6a3O0kyXzF8vjoDZzH/gig=
diff --git a/vendor/github.com/mjl-/autocert/autocert.go b/vendor/github.com/mjl-/autocert/autocert.go
index a5d434e..25c2c7c 100644
--- a/vendor/github.com/mjl-/autocert/autocert.go
+++ b/vendor/github.com/mjl-/autocert/autocert.go
@@ -317,6 +317,10 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 	}
 
 	// regular domain
+	if err := m.hostPolicy()(ctx, name); err != nil {
+		return nil, err
+	}
+
 	ck := certKey{
 		domain: strings.TrimSuffix(name, "."), // golang.org/issue/18114
 		isRSA:  !supportsECDSA(hello),
@@ -330,9 +334,6 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 	}
 
 	// first-time
-	if err := m.hostPolicy()(ctx, name); err != nil {
-		return nil, err
-	}
 	cert, err = m.createCert(ctx, ck)
 	if err != nil {
 		return nil, err
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 7ba0d63..784ddfd 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -13,7 +13,7 @@ github.com/mjl-/adns
 github.com/mjl-/adns/internal/bytealg
 github.com/mjl-/adns/internal/itoa
 github.com/mjl-/adns/internal/singleflight
-# github.com/mjl-/autocert v0.0.0-20231214125928-31b7400acb05
+# github.com/mjl-/autocert v0.0.0-20250321204043-abab2b936e31
 ## explicit; go 1.20
 github.com/mjl-/autocert
 # github.com/mjl-/bstore v0.0.6