From bdac04a3d6aacc9992c4e0bf8514dcd6a1440f76 Mon Sep 17 00:00:00 2001
From: Brad Warren <bmw@eff.org>
Date: Wed, 14 Jul 2021 09:08:35 -0700
Subject: [PATCH] fix http-01 encoding

---
 acme/acme/challenges.py | 9 +++++++++
 certbot/CHANGELOG.md    | 6 +++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/acme/acme/challenges.py b/acme/acme/challenges.py
index 2c8190be5..b1deca68b 100644
--- a/acme/acme/challenges.py
+++ b/acme/acme/challenges.py
@@ -314,6 +314,15 @@ class HTTP01Response(KeyAuthorizationChallengeResponse):
         except requests.exceptions.RequestException as error:
             logger.error("Unable to reach %s: %s", uri, error)
             return False
+        # By default, http_response.text will try to guess the encoding to use
+        # when decoding the response to Python unicode strings. This guesswork
+        # is error prone and since RFC 8555 specifies that key authorizations
+        # (which is the expected response for HTTP-01 challenges) are composed
+        # entirely of the base64 alphabet plus ".", we tell requests that the
+        # response should be ASCII. See
+        # https://datatracker.ietf.org/doc/html/rfc8555#section-8.1 for more
+        # info.
+        http_response.encoding = "ascii"
         logger.debug("Received %s: %s. Headers: %s", http_response,
                      http_response.text, http_response.headers)
 
diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md
index f77a36c79..865de631e 100644
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -10,7 +10,11 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 ### Changed
 
-*
+* When self-validating HTTP-01 challenges using
+  acme.challenges.HTTP01Response.simple_verify, we now assume that the response
+  is composed of only ASCII characters. Previously we were relying on the
+  default behavior of the requests library which tries to guess the encoding of
+  the response which was error prone.
 
 ### Fixed