Custom WAF Rule not Working

Hello all,

I just have the problem, that one of my custom WAF Rule is blocking the Lets Encrypt Bot, when it tries to renew the certificates.

The rules blocks every traffic which is coming from outside the EU.
Therefore I setup an additional WAF rule which is processed before the blocking rule, to allow the path of the lets encrypt verification. Sadly the requests are still blocked.

Here are my rules:

allowlist the lets encrypt path:
Rule number 1

Blocks traffic outside from EU:
Rule number 3

Sadly the requests are still blocked:

Any help is welcome. Thank you

From that screenshot, it looks like you have a leading space in your Uri Path Value

I would double-check that isn’t the case. You could use startsWith as well instead of contains, it’s only available in Custom Rules through Edit Expression/custom expressions.
(starts_with(http.request.uri.path, "/.well-known/acme-challenge"))
Both should work though.

Thank you. Your where right, really stupid mistake from my side.

The skip rule is now working fine.
Sadly the Lets Encrypt Bot gets now blocked from the “Bot fight mode”
Is this a normal behavior? Why is Cloudflare blocking Lets Encrypt?

Is there some way to bypass the “Bot fight mode” for Lets Encrypt?

Custom Rules can only skip Super Bot Fight Mode (Pro), not Bot Fight Mode (free).
Those look like Let’s Encrypt Secondary Validation Servers, which they run on AWS. Let’s Encrypt uses them for multi-perceptive ( to protect against hijacks and other attacks. They do not publish the IPs anywhere and they are rotating. Part of the point of them is that they are not known (and they use others than just AWS) to ensure that they have an untainted perceptive on the server. I don’t think Cloudflare could feasibly mark them as Known Bots because of that, the only common factors are User Agent.

Your options are to try again (and hope the request doesn’t get challenged), Disable Bot Fight Mode, or Upgrade to Pro which has Super Bot Fight Mode which would let you bypass Super Bot Fight Mode in your custom rule. I don’t think there’s any other way around that, sadly.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.