Cloudflare "Let's Verify You Are Human" stopping letsencrypt challenge

My domain is: reports.aztreasury.gov

I ran this command: certbot certonly -d reports.aztreasury.gov

It produced this output:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: reports.aztreasury.gov
Type: unauthorized
Detail: During secondary validation: 104.18.40.24: Invalid response from http://reports.aztreasury.gov/.well-known/acme-challenge/1CcVE9u5Fym4Jhk2Kz1npIVxthKviBvREBcw52_Haso: 403

My web server is (include version):

httpd -version
Server version: Apache/2.4.62 (Amazon Linux)
Server built: Jul 23 2024 00:00:00

The operating system my web server runs on is (include version):

Amazon Linux 2023

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 3.0.1

I ran our website through letsdebug, and discovered that the attempt by the letsencrypt server to retrieve the verification file from my webserver is being intercepted by cloudflare's "Verifying You Are Human" page. Apparently the letsencrypt system doesn't know how to get past this, so our attempt to renew certs fails.

The only way I discovered this is from the output of letsdebug. It clearly showed the html for "Verifying You Are Human" was being returned, instead of the verification file.

Is there anything that can be done on my server or the certbot process to bypass this? Changing our dns to bypass cloudflare is an option, but short of that is there anything we can do otherwise?

I don't know about bypassing the verification, but have you thought about Cloudflares Origin CA certificates? That way you don't need to issue a LE cert for your own server, as Cloudflare is already terminating TLS at their side also with a publicly trusted certificate.

You can add a path exception to the Cloudflare bot check. Alternatively (or similarly) in the list of firewall rules in Cloudflare you can add a "skip/pass" for the HTTP-01 challenge path. That's usually where the bot/ray check is implemented.

Go into your WAF settings in cloudflare and create a rule like the one in the screenshot

Screenshot 2024-12-11 0941311769×1115 57 KB

@FirstTimeEZ

That's the right concept of what I've suggested above though it likely needs to cover more than just SBF rules and the skip needs to be positioned very carefully in the rules list.

@griffin I was thinking it is unusual for this to happen normally so they probably have it turned on and I didn't want to select too many things.

Creating rules like this can be like putting a hole in a wall, cloudflare is likely blocking it for a valid reason.

Agreed. The Cloudflare WAF rules are amongst the easiest things in the suite to screw up to great (meaning terrible) effect. Not saying you did. The concept is sound for sure. Caution just needs to be exercised based upon what else @Zootal has going on in Cloudflare. When I was a Cloudflare admin for a credit union (as part of my role), this area in particular I made certain to pair or have reviewed very carefully.

Tyvm everyone. We decided to just disable cloudflare for the 60 seconds it took to renew our certs, and then turn it back on. If I were to break something, I'd have people lining up outside my office door with torches and pitch forks...

60 seconds is long enough for bots to get your IP address and then they can bypass cloudflare

Is your server configured to only talk to cloudflare?

You should only accept inbound traffic from these IP Ranges, especially if you are going to be disabling cloudflare.

Screenshot 2024-12-11 110111560×416 22.2 KB

There used to be a Cloudflare guide that I wrote in this Community, but the parent topic appears to have been deleted, rendering my bookmark useless. Please review the more recent guide that I have shared in the HestiaCP forum.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.