Do not retry request Do() error in some cases (#1691)

Do not retry the request if:
- The client is not able to trust the public certificate received from
  the server
- If the server is HTTP but we sent a HTTPs request

Author: vadmeste

api.go

@@ -595,12 +595,11 @@ func (c *Client) executeMethod(ctx context.Context, method string, metadata requ
 		// Initiate the request.
 		res, err = c.do(req)
 		if err != nil {
-			if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
-				return nil, err
+			if isRequestErrorRetryable(err) {
+				// Retry the request
+				continue
 			}
-
-			// Retry the request
-			continue
+			return nil, err
 		}
 
 		// For any known successful http status, return quickly.

retry.go

@@ -19,7 +19,10 @@ package minio
 
 import (
 	"context"
+	"crypto/x509"
+	"errors"
 	"net/http"
+	"net/url"
 	"time"
 )
 
@@ -123,3 +126,23 @@ func isHTTPStatusRetryable(httpStatusCode int) (ok bool) {
 	_, ok = retryableHTTPStatusCodes[httpStatusCode]
 	return ok
 }
+
+// For now, all http Do() requests are retriable except some well defined errors
+func isRequestErrorRetryable(err error) bool {
+	if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+		return false
+	}
+	if ue, ok := err.(*url.Error); ok {
+		e := ue.Unwrap()
+		switch e.(type) {
+		// x509: certificate signed by unknown authority
+		case x509.UnknownAuthorityError:
+			return false
+		}
+		switch e.Error() {
+		case "http: server gave HTTP response to HTTPS client":
+			return false
+		}
+	}
+	return true
+}