Closed alexzorin closed 4 years ago
Yep, you are right.
When I implemented the HTTP authorization, I read this RFC8555 section where we have
Because many web servers allocate a default HTTPS virtual host to a particular low-privilege tenant user in a subtle and non-intuitive manner, the challenge must be completed over HTTP, not HTTPS.
But of course the web server can send a redirect to HTTPS, and we have to obey that and accept unsafe HTTPS certificates, like Boulder does (see here and here).
Could you check if #4 fixes this issue?
Looks good, thanks!
@alexzorin I just released version 4.2.8 (both in the concrete5 marketplace and on packagist) with the fix for this issue.
Reported on the Let's Encrypt community forums, it seems that the preflight performed for the
HttpPhysicalChallenge
runs, at least under some configurations, withCURLOPT_SSL_VERIFYHOST = 2
.This can be a problem if there a redirect to an HTTPS host that has e.g. a self-signed certificate.
Common implementations of RFC8555 (Boulder, Pebble) do not do any certification verification when encountering these kinds of redirects.
Since the preflight in
checkConfiguration
does perform certificate verification, it can prevent certificate issuance from succeeding where it would otherwise work just fine.My suggestion would be to set it to 0 indiscriminately.