RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Document use of --insecure when verifying HTTP-01 tokens 

--insecure is almost always a bad idea.  In this case, it
is required for compatibility with Let's Encrypt.

Replace the less obvious '-k' with '--insecure' in the cURL
command, and document why it is used in the comments,
pull/685/head
Timothe Litt 4 years ago
parent
3bc4a80a89
commit
f245e9a5f5
Failed to extract signature
1 changed files with 4 additions and 1 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -1
      getssl

+ 4
- 1
getssl View File

@ -1371,7 +1371,10 @@ for d in "${alldomains[@]}"; do
else
sleep "$HTTP_TOKEN_CHECK_WAIT"
# check that we can reach the challenge ourselves, if not, then error
if [[ ! "$(curl --user-agent "$CURL_USERAGENT" -k --silent --location "$wellknown_url")" == "$keyauthorization" ]]; then
# ACME only allows port 80 (http), but redirects may use https. --insecure is used in case
# those certificates are being renewed. Let's Encrypt does the same. In this case, we verify
# that the correct data is returned, so this is safe.
if [[ ! "$(curl --user-agent "$CURL_USERAGENT" --insecure --silent --location "$wellknown_url")" == "$keyauthorization" ]]; then
error_exit "for some reason could not reach $wellknown_url - please check it manually"
fi
fi


Write Preview
Loading…
Cancel
Save