Make self-check not validate self-signed certificates

By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)

roles/matrix-nginx-proxy/defaults/main.yml

@@ -104,6 +104,9 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
 # Specifies which SSL protocols to use when serving Riot and Synapse
 matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
 
+# Controls whether the self-check feature should validate SSL certificates.
+matrix_nginx_proxy_self_check_validate_certificates: true
+
 # By default, this playbook automatically retrieves and auto-renews
 # free SSL certificates from Let's Encrypt.
 #

roles/matrix-nginx-proxy/tasks/self_check_well_known.yml

@@ -7,6 +7,7 @@
         purpose: Client Discovery
         cors: true
         follow_redirects: false
+        validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
 
 - block:
     - set_fact:
@@ -15,6 +16,7 @@
           purpose: Server Discovery
           cors: false
           follow_redirects: true
+          validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
 
     - name: Determine domains that we require certificates for (mxisd)
       set_fact:

roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml

@@ -11,6 +11,7 @@
     url: "{{ well_known_url_matrix }}"
     follow_redirects: false
     return_content: true
+    validate_certs: "{{ well_known_file_check.validate_certs }}"
   register: result_well_known_matrix
   ignore_errors: true
 
@@ -37,6 +38,7 @@
     url: "{{ well_known_url_identity }}"
     follow_redirects: "{{ well_known_file_check.follow_redirects }}"
     return_content: true
+    validate_certs: "{{ well_known_file_check.validate_certs }}"
   register: result_well_known_identity
   ignore_errors: true