[SSL, Rules] Call out HTTP DCV vs redirects affecting /.well-known/ (#…

…17055) * [SSL] Update troubleshooting.mdx PCX-13770 * Update src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> * Add note about HTTP DCV to Rules docs --------- Co-authored-by: Kim J <73549165+KimJ15@users.noreply.github.com> Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Co-authored-by: Rebecca Tamachiro <rtamachiro@cloudflare.com>
cloudflare · Dec 3, 2024 · 85710f1 · 85710f1
1 parent b5085c0
commit 85710f1
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 8 deletions.
diff --git a/src/content/docs/rules/reference/troubleshooting.mdx b/src/content/docs/rules/reference/troubleshooting.mdx
@@ -10,7 +10,7 @@ description: Review common troubleshooting scenarios for Rules features.
 
 ---
 
-import { Example } from "~/components"
+import { Example, Render } from "~/components"
 
 ## Interaction between Cloudflare challenges and Rules features
 
@@ -22,6 +22,12 @@ For example, define a compound expression for your rule using the `and` operator
 <OTHER_RULE_CONDITIONS> and not starts_with(http.request.uri, "/cdn-cgi/challenge-platform/")
 ```
 
+## HTTP DCV and redirects
+
+<Render file="dcv-definition" product="ssl" />
+
+If you are using [HTTP DCV](/ssl/edge-certificates/changing-dcv-method/methods/http/) and also have [Single Redirects](/rules/url-forwarding/single-redirects/) set up in your zone, consider excluding the `/.well-known/*` path from your rule to avoid DCV issues. For details and other resources refer to the [SSL/TLS documentation](/ssl/edge-certificates/changing-dcv-method/).
+
 ## URL rewrites affect other Rules features executed later
 
 If you rewrite a URI path using a [URL rewrite](/rules/transform/url-rewrite/), this may affect other Rules features executed later — such as [Origin Rules](/rules/origin-rules/) — if they include the URI path in their filter expression.
@@ -31,7 +37,7 @@ Consider the following origin rule configuration:
 <Example>
 
 * Rule expression: `http.host == "example.com" and starts_with(http.request.uri.path, "/downloads/")`
-* **Host header** > **Rewrite to**: `assets.example.com` 
+* **Host header** > **Rewrite to**: `assets.example.com`
 
 </Example>
 
@@ -40,7 +46,7 @@ If you configure a new URL rewrite with the following configuration:
 <Example>
 
 * Rule expression: `http.host == "example.com" and starts_with(http.request.uri.path, "/downloads/")`
-* **Path** > **Rewrite to** > **Dynamic**: `regex_replace(http.request.uri.path, "^/downloads/", "/")` 
+* **Path** > **Rewrite to** > **Dynamic**: `regex_replace(http.request.uri.path, "^/downloads/", "/")`
 
 </Example>
 
@@ -57,7 +63,7 @@ In the current example, you could use the `raw.http.request.uri.path` field in b
 <Example>
 
 * Rule expression: `http.host == "example.com" and starts_with(raw.http.request.uri.path, "/downloads/")`
-* **Path** > **Rewrite to** > **Dynamic**: `regex_replace(raw.http.request.uri.path, "^/downloads/", "/")` 
+* **Path** > **Rewrite to** > **Dynamic**: `regex_replace(raw.http.request.uri.path, "^/downloads/", "/")`
 
 </Example>
 
@@ -66,7 +72,7 @@ In the current example, you could use the `raw.http.request.uri.path` field in b
 <Example>
 
 * Rule expression: `http.host == "example.com" and starts_with(raw.http.request.uri.path, "/downloads/")`
-* **Host header** > **Rewrite to**: `assets.example.com` 
+* **Host header** > **Rewrite to**: `assets.example.com`
 
 </Example>
 

diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/index.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/index.mdx
@@ -13,7 +13,7 @@ description: Learn when and how to perform Domain Control Validation when using
 
 import { Render } from "~/components"
 
-<Render file="dcv-definition" /> <br/>
+<Render file="dcv-definition" />
 
 :::note
 

diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx
@@ -17,7 +17,7 @@ Taking into account the [steps involved in DCV](/ssl/edge-certificates/changing-
 
 :::note
 
-If you are using the Cloudflare API, error messages are presented under the `validation_errors` parameter. 
+If you are using the Cloudflare API, error messages are presented under the `validation_errors` parameter.
 :::
 
 ## Blocked validation URL
@@ -29,9 +29,17 @@ If you have issues while HTTP DCV is in place, review the following settings:
 * **Cloudflare Account Settings** and **Page Rules**: Review your [account settings](/fundamentals/reference/under-attack-mode/), [Configuration Rules](/rules/configuration-rules/), and [Page Rules](/rules/page-rules/) to ensure you have not enabled **I'm Under Attack Mode** on the validation URL.
 
   :::caution
-   <Render file="dcv-path-security" /> 
+   <Render file="dcv-path-security" />
   :::
 
+## Redirection
+
+Enabling [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/) does not impact the validation process.
+
+In a [Partial (CNAME) setup](/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required) where you are managing the token on the origin side, please ensure that no redirection from HTTP to HTTPS occurs on the `/.well-known/*` path.
+
+When using [Redirect Rules](/rules/url-forwarding/single-redirects/) the `/.well-known/*` path should be excluded from redirections.
+
 ## DNS settings and records
 
 The errors below refer to situations that have to be addressed at the authoritative DNS provider:
-Original file line number
+Diff line change
@@ Expand Up @@
     import { Render } from "~/components"
-    <Render file="dcv-definition" /> <br/>
+    <Render file="dcv-definition" />
     :::note
@@ Expand Down @@