Curl http://dev.example.com/.well-known/acme-challenge -I HTTP/1.1 301 Moved Permanently

mcclosa · June 12, 2022, 4:15pm

I have my site deployed to Vercel, and have set the DNS entries as Proxied.

| Type  | Name        | Content              | Proxy Status | TTL  |
|-------|-------------|----------------------|--------------|------|
| A     | api         | ---.--.--.--         | Proxied      | Auto |
| A     | development | ---.--.--.--         | Proxied      | Auto |
| A     | example.com | --.--.--.--          | Proxied      | Auto |
| CNAME | dev         | cname.vercel-dns.com | Proxied      | Auto |
| CNAME | www         | cname.vercel-dns.com | Proxied      | Auto |

When Vercel builds a project, the final step of the build process is to issue an SSL certificate. As part of this step Vercel makes an HTTP request to <domain>/.well-known/acme-challenge . If this HTTP request gets redirected to HTTPS, Vercel will fail to issue an SSL certificate.

So I’ve added the following page rules and in Edge Certificates I have set Always Use HTTPS as disabled.

When I run

curl http://example.com/.well-known/acme-challenge -I

I get HTTP/1.1 404 Not Found

which means vercel has been configured correctly.

However, when I try to run on the dev subdomain as so

curl http://dev.example.com/.well-known/acme-challenge -I

I get HTTP/1.1 301 Moved Permanently

sandro · June 12, 2022, 4:21pm

The configuration looks all right, what’s the domain?

mcclosa · June 12, 2022, 4:26pm

Thanks for the prompt reply

it’s dev. dodgestats .com

I did forget to mention, that there is an access policy on that domain for only certain emails to have access, could that be the reason the 301 is occurring?

sandro · June 12, 2022, 4:30pm

Presumably. It’s still interesting that Cloudflare does redirect you first to HTTPS and only then to Access, but Access is still the reason for the redirect. Have you tried disabling it? Respectively exclude /.well-known?

mcclosa · June 12, 2022, 4:39pm

Yes, Just tried disabling the access policy and now

curl http://dev.example.com/.well-known/acme-challenge -I

returns HTTP/1.1 404 Not Found

Any idea how I can still have the access policy on all URLs excluding /.well-known within Zero Trust?

sandro · June 12, 2022, 4:40pm

What I meant by

Check out Access policies · Cloudflare Zero Trust docs

mcclosa · June 12, 2022, 6:12pm

Perfect, thanks. That seems to have sorted it

system · June 15, 2022, 6:13pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Do Not Redirect to Https for Some Url Getting Started	8	3588	September 9, 2020
LetsEncrypt http validation for origin on domain using strict ssl Security	5	2867	March 14, 2021
Issues w/ Let's Encrypt SSL ACME Challenge via HTTP-01 Security	2	2221	January 27, 2024
Acme Challenge Page Rule Not Working Security	2	4166	November 15, 2019
Cloudflare & LetsEncrypt ACME Challenge Issue Security	7	24177	July 21, 2022

Curl http://dev.example.com/.well-known/acme-challenge -I HTTP/1.1 301 Moved Permanently

Related topics