Update acme_tiny.py #230
Update acme_tiny.py #230
Conversation
fix an issue when file cannot be downloaded after ssl expire
|
Generally "best practises" suggest that LE .well-known should be requested through http/80 anyway, or at least it has been that way... Exactly because one should assume that already having working ssl is not a certainty, and LE does not need https for authentication phase. Now this does not say one can't use https for LE .well-known, but it will generally indeed fail when there isn't ssl already working. |
@olmari I'm afraid that's not true. Let's Encrypt will ignore certificate validation errors when processing an RFC 8555 HTTP-01 challenge that was redirected by the origin server to an HTTPS domain with an invalid certificate. |
|
Oh well, so it seems, my "data" was old.. I do see the point on this, so while I'm no developer I'd greenlight this kind of commit for exactly LE/Acme-tiny context :) |
There was a problem hiding this comment.
Sorry, but this PR cannot be merged. What you are doing is disabling certification for all requests acme-tiny is doing, in particular also for all communication with the ACME CA.
You need to do this only when checking whether the challenge file is around. There have been other PRs trying to do that before (#190, #221); they were not merged because you can simply disable this check with the --disable-check option.
(Also, you haven't been the first to try to disable all certificate validations, see #215 for example :) )
|
ok - then it should be added to the docs somewhere - it would help a lot, I have one of my apps doing ssl pinning and needed to act fast. Closing. |
|
It's already documented if you run |
fix an issue when file cannot be downloaded after ssl expire
fixes #229