In my CloudFlare account I have example.com, and dev.example.com.
I’ve restricted access for dev.example.com using some special cookie. If that cookie isn’t present, then it will block the request.
fw-allow-dev: (http.host eq "dev.example.com" and http.cookie contains "is-dev=my-secret-cookie"), action: Allow
So if they have the cookie, they will be allowed to access the Development Website, if they don’t then they’ll see Error 1020. This is expected, but now the problem is, LetsEncrypt doesn’t have the cookie, and when they go request the ACME Challenge, it gets blocked.
What should I do to let Lets Encrypt access the folder so it can verify the domain?
I can’t add this to rule fw-allow-dev: or (http.request.full_uri contains "dev.example.com/.well-known/acme-challenge/") because then if I go to dev.example.com/my-secret-page/?dev.example.com/.well-known/acme-challenge/ it contains the string, so it will allow it. Is there anything I can do to check with like regex? I think something like this ^https?:\/\/dev\.example\.com\/\.well-known\/acme-challenge\/ could work, but I’m not sure I’m able to do that with CloudFlare Firewall.
In this case, just switch from Letsencrypt webroot domain validation to using DNS validation. Most popular Letencrypt clients do support using DNS validation. I use acme.sh client and you can easily do this using acme.sh client’s supported DNS API’s which support Cloudflare DNS API.
Well, requests will still come only from a certain set of addresses or blocks, so one can narrow down that. They might change but it might be easier than changing the whole approach. Alternatively, there’s only the DNS validation left.
A Business plan, which does support such a regular expression, is of course an option too.
They moved to multi-point validation some time ago, and they have stated that they will essentially randomise the request source IPs. Is as common a question on their community forum as Flexible is here, and the response is always the same. DNS-01 is the best option where the hostname is not public.