I’m trying to resolve an issue which can be reproduced in the following situation.
- A webserver is configured with HSTS, and the webserver will always redirect to the HTTPS site.
- The webserver was configured with self-signed certificates or an expired (Let’s Encrypt) certificate
- Webroot domain validation is used for authentication
This discussion on acmetool started here: https://github.com/hlandau/acme/issues/199
In my perspective the validation of a domain name boils down to: can a validation tool reach a webserver located at an AAAA/A-record for the requested domain name. I assume that redirection at the webserver-side to a HTTPS resource is allowed. Please confirm this statement.
If the redirection is allowed we may arrive at a chicken/egg problem. A Lets’s Encrypt certificate may be expired before the renewal process has been done, or the webserver can be started with self signed certificates. To me it sounds as being strict on SSL validation goes beyond checking if the document can be retrieved from the IP address defined by the A/AAAA-record.