Comment by amluto

If a user’s verification attempts fails because their own rules block access, that doesn’t sound like a Cloudflare bug. If a user’s verification attempt fails because of Cloudflare’s built in rules, maybe that’s an issue, and maybe Cloudflare tried to fix that and messed up.

All that being said, this workflow is rather odd. We’re talking about a customer who uses an HTTP-01 challenge to get a certificate for a domain that is proxied by Cloudflare’s TLS-terminating proxy. Setting this up in a way that is useful is dramatically harder than letting Cloudflare deal with the certificate. Maybe the idea is that the user could example proxying and get something vaguely secure without any reconfiguration at all all on the origin machine? How many users have ACME configured and are willing to run a wide-open origin behind Cloudflare anyway?