DEV Community

Sharon
Sharon

Posted on

Allowing ACME Requests for SSL Certificates in SafeLine WAF

When applying for SSL/TLS certificates using ACME protocols (such as with Let’s Encrypt), certificate authorities need to verify domain ownership. This verification is often done through requests to the special path /.well-known/.

If these requests are blocked by your WAF, the certificate application or renewal process will fail. To ensure smooth SSL certificate issuance and renewal, you need to configure SafeLine WAF to allowlist ACME requests.


1. Why This Matters

SSL/TLS certificates are critical for enabling HTTPS, protecting sensitive data, and preventing traffic interception.

However, if ACME requests to /.well-known/ are blocked, you may face issues such as:

  • SSL certificate application failure
  • Automatic renewal interruptions
  • Websites falling back to insecure HTTP

2. How SafeLine WAF Helps

SafeLine allows fine-grained rule customization. You can add allowlist rules to let legitimate ACME traffic through while keeping malicious traffic blocked.

In this case, we add a rule to allow all requests starting with /.well-known/.


3. Adding the Allowlist Rule

To configure this in SafeLine:

  1. Go to Allow & Deny

    Navigate to the Allow & Deny section in the SafeLine dashboard.

  2. Add a New Allow Rule

    Create a new allowlist rule targeting ACME requests.

You can configure it like this:

  • Match Field: URL Path
  • Condition: Prefix keyword
  • Value: /.well-known

You can set it up like this.

  1. Save and Apply Once saved, SafeLine will allow these requests across all versions from 7.3.0 to the latest.

4. Benefits

  • Seamless HTTPS: Certificates can be issued and renewed without interruptions.
  • Strong Security: Only specific ACME verification requests are allowed, everything else is still filtered.
  • Automated Renewals: Prevents downtime caused by failed SSL renewals.

5. Conclusion

By adding a simple allowlist rule for ACME requests in SafeLine WAF, you ensure that your HTTPS setup works flawlessly with services like Let’s Encrypt. This small configuration step keeps your certificates valid while maintaining strong protection for your site.

Top comments (0)