Update test_challenges.py to allow testing ping.txt over SSL #1340
Description
Hi there,
In my server set up, I initially set up the server with the firewall allowing HTTP traffic, but once SSL is set up, I'd like to close it up a bit by disabling HTTP completely. (Before traffic hits the server, there's a Cloudflare page rule that redirects HTTP traffic to HTTPS).
This setup should work with LetsEncrypt as well, because
"Let’s Encrypt follows redirects (HTTP 301 and 302) when performing HTTP-01 challenges, both to other domains and from http:// to https://" cite
However, where this falls down is that letsencrypt/tasks/nginx.yml calls the test_challenges module:
trellis/roles/letsencrypt/tasks/nginx.yml
Line 50 in c8f679e
and in that file, it only makes an HTTP request:
(It would need to use HTTPSConnection (note the 'S') to make an HTTPS connection.)
Would you consider updating the test_challenges module so it can make an HTTPS connection? I've whipped up a version of it that first tries via HTTP, and if status back isn't 200, it tries again over SSL. (In reality we'd perhaps want this to be configurable since not everyone will have that same HTTP->HTTPS redirect I have.)
A parallel suggestion would be to have that Ansible module return a bit more info so users could know, for example, the HTTP response code and/or headers they're getting back (because as others have noted, Cloudflare sometimes throws up blocks people may not realize are there, and one may need to disable the "browser integrity check" feature on the .well-known challenge location).
Thank you.