Is there quick way to check if your IP or IP subnet is blocked by CF?

Hello everyone,
i am not cloudflare (CF) client, however I experience some problems with CF that I dont know how to resolve yet.
I provide shared hosting services and about 2 days ago I noticed that requests for letsencrypt (LE) certificates time out. Checked with LE and found out it is not them blocking my IP.
So next thought was that it is CF blocking.
I checked access from my web server to web sites know to be behind CF and could not access any of them.
I tried to access web sites behind CF from several of my IP addresses (i have IP subnets 45.149.128.0/24 and 45.129.0.0/24) and could not access neither.
Here is, for example, output of curl command:

curl -Iv https://acme-v02.api.letsencrypt.org/directory
* About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*   Trying 172.65.32.248...
* Connection timed out
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* Failed to connect to 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
* Failed connect to acme-v02.api.letsencrypt.org:443; Network is unreachable
* Closing connection 0
curl: (7) Failed to connect to 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable

I checked operational status on https://www.cloudflarestatus.com/ and found out that for my region right now (2021-dec-19, UTC+6) status is “re-routed” and I believe it probably means “operational but takes longer route”.

So here is my question:
Is there a rather quick way to find out if my IP addresses/subnets/ASN was blocked by CF for some reason?
Or is it because of operational “re-routed” status in my region?
Or should i just wait and accessibility will be restored automatically?

Thank you

If the DNS records (hostnames) for that domains (from your clients which are using Cloudflare for example) are proxied :orange: at their Cloudflare dashboard, I am afraid the default LE way to renew them would fail just because.

Nevertheless, there are a few workarounds, not sure about them right now at the exact moment, I would have to check up here using the search :search: and write back …

Your clients would have to temporary enable the Pause Cloudflare for your site option or temporary switch from :orange: to :grey: to make sure the process could proceed, if so - in case of some kind of AutoSSL like cPanel or Let’s Encrypt, which cannot be renewed when the Cloudflare :orange: cloud (proxy mode) is enabled.

Wait for some time.
Start the renewing process.
When you are sure it’s working over HTTPS, switch back to :orange: (enable Cloudflare proxied).
Make sure the SSL/TLS option is set to Full (Strict) SSL

  • To renew your Let’s Encrypt SSL certificate while using Cloudflare, you can temporarly switch :orange: to :grey: cloud for A www and A yourdomain.com records at Cloudflare dashboard for your domain (or a CNAME record if you have one).
  • Wait for few minutes for changes to apply.
  • Start the renewing process for your Let’s Encrypt SSL certificate at your host/origin (having :grey: temporarly, it should resolve to your host/origin IP address and you should be able to renew it via DNS/TXT/web host method).
  • After a successfull renewing process, switch back from the temporarly :grey: cloud to :orange: cloud to make sure your Website is proxied via Cloudflare.
  • Make sure you have selected the or Full SSL (Strict) option at Cloudflare.

I doubt Cloudflare blocked your IP/network just like that.

Rather, you might get error like Error 1020 - Access Denied if some owner of the domain name is using security options available to him to protect his website either by blocking IPs, ASNs, countries, etc.

The route could have a couple of more “hops” to reach your origin, or even the request is going through the next closest working Cloudflare network POP to ensure the normal requests flow through the Internet (possible a bit slower, or different area, country, etc.).

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.