script fail when challenge url is redirected to https with self signed certificate

[zerrac]

I ran into this bug while generation certificate for third party software that manage itself apache configuration and force redirection to https.

In this context, the first certificate generation fail because https cert is auto-signed.

letsencrypt politic about self-signed certs (https://letsencrypt.org/fr/docs/challenge-types/) :

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

I think acme_tiny should behave the same.

i did the following modification localy and post it here in case you want to re-use it !
acme.diff.txt

[felixfontein]

Don't use that patch (in its current form)! It disables certificate validation for all requests, including the ones to the CA.

If you want to work around this problem, disable certificate validation only for the check whether the challenge file is there, and not everywhere!

[felixfontein]

Your patch is very similar to #230; see #221 for a better implementation which only disables certificate verification in this one case. If you want to use something like this, please use the patch from #221!

[zerrac]

ty for the info, i will use it !

[AvverbioPronome]

same happens with expired certificates. I think certificate validation should be ignored (boulder does) while checking if the challenge is there.

https://community.letsencrypt.org/t/virtualmin-lets-encrypt-web-based-validation-failed/117103?u=9peppe