I’ve setup a site to challenge visitors outside of our country (UK), with the exception of “Known Bots” which get a free pass from any location.
I was curious to see if our local Certbot SSL certificates would renew correctly, or whether Certbot would be blocked by the challenge. I tried a dry-run renewal, and it went through fine. I checked our origin access logs and could see an IPv6 address for Cerbot. I did a lookup of the IP, and it appears to be an Amazon AWS IP from the USA.
I wondered if this means that Certbot is a “Known Bot”? I didn’t see it listed on the Known Bots page here: Firewall Rules FAQ · Cloudflare Firewall Rules docs
Edit: I think I answered my own question. I checked in the Cloudflare Firewall Events and could see Certbot was allowed access with the expression cf.client.bot so I guess it is a known bot.