Curl http://dev.example.com/.well-known/acme-challenge -I HTTP/1.1 301 Moved Permanently

I have my site deployed to Vercel, and have set the DNS entries as Proxied.

| Type  | Name        | Content              | Proxy Status | TTL  |
|-------|-------------|----------------------|--------------|------|
| A     | api         | ---.--.--.--         | Proxied      | Auto |
| A     | development | ---.--.--.--         | Proxied      | Auto |
| A     | example.com | --.--.--.--          | Proxied      | Auto |
| CNAME | dev         | cname.vercel-dns.com | Proxied      | Auto |
| CNAME | www         | cname.vercel-dns.com | Proxied      | Auto |

When Vercel builds a project, the final step of the build process is to issue an SSL certificate. As part of this step Vercel makes an HTTP request to <domain>/.well-known/acme-challenge . If this HTTP request gets redirected to HTTPS, Vercel will fail to issue an SSL certificate.

So I’ve added the following page rules and in Edge Certificates I have set Always Use HTTPS as disabled.

When I run

curl http://example.com/.well-known/acme-challenge -I

I get HTTP/1.1 404 Not Found

which means vercel has been configured correctly.

However, when I try to run on the dev subdomain as so

curl http://dev.example.com/.well-known/acme-challenge -I

I get HTTP/1.1 301 Moved Permanently

The configuration looks all right, what’s the domain?

Thanks for the prompt reply

it’s dev. dodgestats .com

I did forget to mention, that there is an access policy on that domain for only certain emails to have access, could that be the reason the 301 is occurring?

Presumably. It’s still interesting that Cloudflare does redirect you first to HTTPS and only then to Access, but Access is still the reason for the redirect. Have you tried disabling it? Respectively exclude /.well-known?

1 Like

Yes, Just tried disabling the access policy and now

curl http://dev.example.com/.well-known/acme-challenge -I

returns HTTP/1.1 404 Not Found

Any idea how I can still have the access policy on all URLs excluding /.well-known within Zero Trust?

What I meant by

Check out https://developers.cloudflare.com/cloudflare-one/policies/access/#bypass

2 Likes

Perfect, thanks. That seems to have sorted it

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.