From f72b59bee1957164f90081305d01930c63ccc6e2 Mon Sep 17 00:00:00 2001
From: Daniel Morsing <dmo@jetstack.io>
Date: Wed, 16 Jan 2019 13:23:01 +0000
Subject: [PATCH] Disable TLS verification when self-checking

Fixes #949

Signed-off-by: Daniel Morsing <dmo@jetstack.io>
---
 pkg/issuer/acme/http/http.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/pkg/issuer/acme/http/http.go b/pkg/issuer/acme/http/http.go
index e569bd223..47d1ef1c4 100644
--- a/pkg/issuer/acme/http/http.go
+++ b/pkg/issuer/acme/http/http.go
@@ -18,6 +18,7 @@ package http
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -149,7 +150,22 @@ func testReachability(ctx context.Context, url string, key string) (bool, error)
 
 	req = req.WithContext(ctx)
 
-	response, err := http.DefaultClient.Do(req)
+	// ACME spec says that a verifier should try
+	// on http port 80 first, but follow any redirects may be thrown its way
+	// The redirects may be HTTPS and its certificate may be invalid (they are trying to get a
+	// certificate after all).
+	// TODO(dmo): figure out if we need to add a more specific timeout for
+	// individual checks
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+	client := http.Client{
+		Transport: transport,
+	}
+
+	response, err := client.Do(req)
 	if err != nil {
 		return false, &absorbErr{err: fmt.Errorf("failed to GET '%s': %v", url, err)}
 	}