fix http-01 encoding

acme/acme/challenges.py

@@ -314,6 +314,15 @@ class HTTP01Response(KeyAuthorizationChallengeResponse):
         except requests.exceptions.RequestException as error:
             logger.error("Unable to reach %s: %s", uri, error)
             return False
+        # By default, http_response.text will try to guess the encoding to use
+        # when decoding the response to Python unicode strings. This guesswork
+        # is error prone and since RFC 8555 specifies that key authorizations
+        # (which is the expected response for HTTP-01 challenges) are composed
+        # entirely of the base64 alphabet plus ".", we tell requests that the
+        # response should be ASCII. See
+        # https://datatracker.ietf.org/doc/html/rfc8555#section-8.1 for more
+        # info.
+        http_response.encoding = "ascii"
         logger.debug("Received %s: %s. Headers: %s", http_response,
                      http_response.text, http_response.headers)
 

certbot/CHANGELOG.md

@@ -10,7 +10,11 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 ### Changed
 
-*
+* When self-validating HTTP-01 challenges using
+  acme.challenges.HTTP01Response.simple_verify, we now assume that the response
+  is composed of only ASCII characters. Previously we were relying on the
+  default behavior of the requests library which tries to guess the encoding of
+  the response which was error prone.
 
 ### Fixed