Change HTTP self-test behaviour to match Let's Encrypt

Bad TLS certificates in redirects from HTTP validation URLs are now accepted. Fixes #199. ©! I hereby licence these changes under the licence with SHA256 hash ©! fd80a26fbb3f644af1fa994134446702932968519797227e07a1368dea80f0bc.
hlandau · Sep 3, 2016 · de9a08a · de9a08a
1 parent 3463e55
commit de9a08a
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/responder/http.go b/responder/http.go
@@ -3,6 +3,7 @@ package responder
 import (
 	"bytes"
 	"crypto"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"github.com/hlandau/acme/acmeapi/acmeutils"
@@ -104,6 +105,10 @@ func (s *httpResponder) Start() error {
 	return nil
 }
 
+// This is currently the validation timeout used by Let's Encrypt, so let's
+// use the same value here.
+var selfTestTimeout = 5 * time.Second
+
 // Test that the challenge is reachable at the given hostname. If a hostname
 // was not provided, this test is skipped.
 func (s *httpResponder) selfTest() error {
@@ -117,7 +122,17 @@ func (s *httpResponder) selfTest() error {
 		Path:   "/.well-known/acme-challenge/" + s.rcfg.Token,
 	}
 
-	res, err := http.Get(u.String())
+	trans := &http.Transport{
+		TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
+		DisableKeepAlives: true,
+	}
+
+	client := &http.Client{
+		Transport: trans,
+		Timeout:   selfTestTimeout,
+	}
+
+	res, err := client.Get(u.String())
 	if err != nil {
 		return err
 	}