From f245e9a5f5f47ceed309c5ca100e621a4703b00e Mon Sep 17 00:00:00 2001
From: Timothe Litt <litt@acm.org>
Date: Wed, 28 Jul 2021 05:26:24 -0400
Subject: [PATCH] Document use of --insecure when verifying HTTP-01 tokens

--insecure is almost always a bad idea.  In this case, it
is required for compatibility with Let's Encrypt.

Replace the less obvious '-k' with '--insecure' in the cURL
command, and document why it is used in the comments,
---
 getssl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/getssl b/getssl
index 9f8486f..a83fe77 100755
--- a/getssl
+++ b/getssl
@@ -1371,7 +1371,10 @@ for d in "${alldomains[@]}"; do
       else
         sleep "$HTTP_TOKEN_CHECK_WAIT"
         # check that we can reach the challenge ourselves, if not, then error
-        if [[ ! "$(curl --user-agent "$CURL_USERAGENT" -k --silent --location "$wellknown_url")" == "$keyauthorization" ]]; then
+        # ACME only allows port 80 (http), but redirects may use https.  --insecure is used in case
+        # those certificates are being renewed.  Let's Encrypt does the same.  In this case, we verify
+        # that the correct data is returned, so this is safe.
+        if [[ ! "$(curl --user-agent "$CURL_USERAGENT" --insecure --silent --location "$wellknown_url")" == "$keyauthorization" ]]; then
           error_exit "for some reason could not reach $wellknown_url - please check it manually"
         fi
       fi