Http*Challenge: checkConfiguration should ignore certificate verification errors

[alexzorin]

Reported on the Let's Encrypt community forums, it seems that the preflight performed for the HttpPhysicalChallenge runs, at least under some configurations, with CURLOPT_SSL_VERIFYHOST = 2.

This can be a problem if there a redirect to an HTTPS host that has e.g. a self-signed certificate.

Common implementations of RFC8555 (Boulder, Pebble) do not do any certification verification when encountering these kinds of redirects.

Since the preflight in checkConfiguration does perform certificate verification, it can prevent certificate issuance from succeeding where it would otherwise work just fine.

My suggestion would be to set it to 0 indiscriminately.

[mlocati]

Yep, you are right.

When I implemented the HTTP authorization, I read this RFC8555 section where we have

Because many web servers allocate a default HTTPS virtual host to a particular low-privilege tenant user in a subtle and non-intuitive manner, the challenge must be completed over HTTP, not HTTPS.

But of course the web server can send a redirect to HTTPS, and we have to obey that and accept unsafe HTTPS certificates, like Boulder does (see here and here).

Could you check if #4 fixes this issue?

[alexzorin]

Looks good, thanks!

[mlocati]

@alexzorin I just released version 4.2.8 (both in the concrete5 marketplace and on packagist) with the fix for this issue.