HTTP-01 gives misleading "could not connect" error (#2142)

Fixes #2122

va/va.go

@@ -230,6 +230,7 @@ func (va *ValidationAuthorityImpl) fetchHTTP(ctx context.Context, identifier cor
 			req.Header["User-Agent"] = []string{va.userAgent}
 		}
 
+		urlHost = req.URL.Host
 		reqHost := req.URL.Host
 		var reqPort int
 		if h, p, err := net.SplitHostPort(reqHost); err == nil {
@@ -266,7 +267,7 @@ func (va *ValidationAuthorityImpl) fetchHTTP(ctx context.Context, identifier cor
 	if err != nil {
 		va.log.Info(fmt.Sprintf("HTTP request to %s failed. err=[%#v] errStr=[%s]", url, err, err))
 		return nil, validationRecords,
-			parseHTTPConnError(fmt.Sprintf("Could not connect to %s", url), err)
+			parseHTTPConnError(fmt.Sprintf("Could not connect to %s", urlHost), err)
 	}
 
 	body, err := ioutil.ReadAll(&io.LimitedReader{R: httpResponse.Body, N: maxResponseSize})

va/va_test.go

@@ -71,6 +71,7 @@ const expectedToken = "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
 const expectedKeyAuthorization = "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0.9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"
 const pathWrongToken = "i6lNAC4lOOLYCl-A08VJt9z_tKYvVk63Dumo8icsBjQ"
 const path404 = "404"
+const path500 = "500"
 const pathFound = "GBq8SwWq3JsbREFdCamk5IX3KLsxW5ULeGs98Ajl_UM"
 const pathMoved = "5J4FIMrWNfmvHZo-QpKZngmuhqZGwRm21-oEgUDstJM"
 const pathRedirectPort = "port-redirect"
@@ -78,6 +79,7 @@ const pathWait = "wait"
 const pathWaitLong = "wait-long"
 const pathReLookup = "7e-P57coLM7D3woNTp_xbJrtlkDYy6PWf3mSSbLwCr4"
 const pathReLookupInvalid = "re-lookup-invalid"
+const pathRedirectToFailingURL = "re-to-failing-url"
 const pathLooper = "looper"
 const pathValid = "valid"
 const rejectUserAgent = "rejectMe"
@@ -96,6 +98,9 @@ func httpSrv(t *testing.T, token string) *httptest.Server {
 		if strings.HasSuffix(r.URL.Path, path404) {
 			t.Logf("HTTPSRV: Got a 404 req\n")
 			http.NotFound(w, r)
+		} else if strings.HasSuffix(r.URL.Path, path500) {
+			t.Logf("HTTPSRV: Got a 500 req\n")
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
 		} else if strings.HasSuffix(r.URL.Path, pathMoved) {
 			t.Logf("HTTPSRV: Got a 301 redirect req\n")
 			if currentToken == defaultToken {
@@ -125,6 +130,9 @@ func httpSrv(t *testing.T, token string) *httptest.Server {
 		} else if strings.HasSuffix(r.URL.Path, pathReLookupInvalid) {
 			t.Logf("HTTPSRV: Got a redirect req to an invalid hostname\n")
 			http.Redirect(w, r, "http://invalid.invalid/path", 302)
+		} else if strings.HasSuffix(r.URL.Path, pathRedirectToFailingURL) {
+			t.Logf("HTTPSRV: Redirecting to a URL that will fail\n")
+			http.Redirect(w, r, fmt.Sprintf("http://other.valid/%s", path500), 301)
 		} else if strings.HasSuffix(r.URL.Path, pathLooper) {
 			t.Logf("HTTPSRV: Got a loop req\n")
 			http.Redirect(w, r, r.URL.String(), 301)
@@ -347,6 +355,15 @@ func TestHTTPRedirectLookup(t *testing.T) {
 	test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/port-redirect" to ".*other.valid:8080/path"`)), 1)
 	test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1)
 	test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for other.valid \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1)
+
+	// This case will redirect from a valid host to a host that is throwing
+	// HTTP 500 errors. The test case is ensuring that the connection error
+	// is referencing the redirected to host, instead of the original host.
+	log.Clear()
+	setChallengeToken(&chall, pathRedirectToFailingURL)
+	_, prob = va.validateHTTP01(ctx, ident, chall)
+	test.AssertNotNil(t, prob, "Problem Details should not be nil")
+	test.AssertEquals(t, prob.Detail, "Could not connect to other.valid")
 }
 
 func TestHTTPRedirectLoop(t *testing.T) {