TLS handshake error-Let's Encrypt

[Jainam-17-18]

I have deployed my application and it's fine when ssl: false under proxy.

Now I have to do ssl: true.

proxy:
  ssl: true
  host: subdomain.domain.com
  app_port: 8081
  response_timeout: 300
  healthcheck:
    interval: 3
    path: /healthcheck
    timeout: 3

But getting error:

{"time":"xxxx","level":"INFO","msg":"http: TLS handshake error from 103.136.75.230:61871: acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz/xxxxxxxx/xxxxxxxx\" for domain \"mysubdomain.domain.com\": no viable challenge type found"}

Server Setup:
Have checked my server's both Port 80 and 443 is showing opened on https://portchecker.co/ .
Server transfer request to VM where the application had been deployed.

I have a server's port (abcd) which map with NAT to VM's port (443).
I also have another port (wxyz) which map with NAT to VM's port (80).

[dipth]

I have the same problem.

config/environments/production.rb

Rails.application.configure do
  config.assume_ssl = true
  config.force_ssl = true
end

config/deploy.yml

proxy:
  ssl: true
  host: alpha.REDACTED.com

Cloudflare DNS

Cloudflare TLS

Proxy log

2025-01-11T15:45:58.312132198Z {"time":"2025-01-11T15:45:58.311506309Z","level":"INFO","msg":"http: TLS handshake error from 162.158.134.133:40122: acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED/REDACTED\" for domain \"alpha.REDACTED.com\": no viable challenge type found"}

Firewall

I am able to connect to the server using http via Cloudflare:

╰─⠠⠵ curl -I http://alpha.REDACTED.com                   
HTTP/1.1 301 Moved Permanently
Date: Sat, 11 Jan 2025 16:02:28 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Location: https://alpha.REDACTED.com/
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=REDACTED"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9006219e5ae9be56-CPH
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=10642&min_rtt=10642&rtt_var=5321&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=78&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

I am also able to connect to the server using http directly:

╰─⠠⠵ curl -I -H "Host: alpha.REDACTED.com" REDACTED_IP
HTTP/1.1 301 Moved Permanently
Connection: close
Content-Type: text/html; charset=utf-8
Location: https://alpha.REDACTED.com/

[dipth]

I was able to find a solution in the thread here:
basecamp/kamal-proxy#26

Turns out that I had a Cloudflare WAF page rule that initiated a browser challenge to visitors from some country that happened to be the country that LetsEncrypt issues a request from to verify domain ownership.
Adding a condition to that rule to skip the rule for the path that LetsEncrypt uses, fixed the issue.