We just went through a challenge renewing our certs. Cloudflare was intercepting the challenge/response request with a "verify you are human" response. This causes the renewal attempt to fail.
To make a long story short, the challenge/request was intercepted by Cloudflare because the request came from Singapore. It would have worked if it had come from the US. We are located in Phoenix AZ, our website is an AWS instance in the Oregon data center. We have a Geo filtering rule that runs all non-US traffic through a managed challenge.
I realize not everyone will have this problem. We are a state agency and the powers-that-be decided that all non-US traffic gets a closer look than domestic traffic. 99% of our hack attempts do come from outside the US, I used to log them to profile which countries were the worst offenders.
I'm informed we now have a rule that lets this type of request go through, we'll find out in three months if it works or not.
I'm curious how others deal with this type of issue?
See here:
and recently here: Firewall Geoblocking and LetsEncrypt
3 Likes
Hi @Zootal,
One solution is to switch to the DNS-01 challenge of the Challenge Types - Let's Encrypt as it is the only one that does not need to access a server on the FQDN. However it does need access to the Authoritative Name Servers to add a TXT record at acme-challenge.<YOUR_DOMAIN>.
And the Authoritative Name Servers must not be Geo Blocked.
3 Likes
I use my own custom Cloudflare rules that exempt the /.well-known/acme-challenge path from any security challenges or redirection. As long as your newly implemented rules cover the relevant criteria and settings, you should be all set.
3 Likes
That was actually our final solution, to exempt that specific path. So far it seems to work.
3 Likes