This guide explains how to resolve an SSL certificate (Let's Encrypt or Sectigo) installation issue if you are using Cloudflare with strict security rules, such as country or IP filtering.

Adjust SSL / geoblocking settings

When an SSL certificate is requested via Infomaniak (free Let's Encrypt or Sectigo), the certification authority must verify that you are the owner of the domain. This verification can be done via HTTP (using special files placed on your site), DNS, or email:

• Let's Encrypt uses /.well-known/acme-challenge/.
• Sectigo usually uses /.well-known/pki-validation/ (or DNS / email depending on the option chosen).

If these verifications fail (for example, because Cloudflare blocks access), the certificate cannot be issued or renewed. However, Let's Encrypt no longer verifies from a single location. For some time (and even more since March 2024), it performs its verifications from multiple countries at the same time – including new ones like Sweden or Singapore. Result: if one of these countries is blocked by your Cloudflare settings, the certificate request may fail, even if everything else is correctly configured.

Even worse: even if you try to make an exception only for the challenge address (.well-known/acme-challenge), it may not work with some Cloudflare rules. Indeed, country or IP blocking rules are applied before any URL path-based exception.

Adjust SSL/TLS mode

In Cloudflare, use the Full or Full (strict) mode. These modes temporarily tolerate an expired or self-signed certificate, until the validation is complete:

Allow validation paths

Avoid blocking "IP Access Rules" and prefer "Custom Rules" that allow unrestricted paths:

• /.well-known/acme-challenge/ (Let's Encrypt)
• /.well-known/pki-validation/ (Sectigo)

Temporarily disable geoblocking

If necessary, temporarily disable geographic or IP blocking for the duration of the validation, then reactivate your protections after the certificate is issued or renewed.