Error 521: "error rendering the resource registry configuration" and fail2ban / CloudFlare IP whitelisting

If your Plone site stops serving JavaScript, e.g. the Add New popup menu no longer appears and instead you are taken to a new page showing the things you can add, open your browser console. If you see HTTP error 521 and if, when you navigate to Site Setup -> Configuration Registry, you see the error message "error rendering the resource registry configuration", it may be (as it was for me) that your fail2ban configuration has been blocking IP addresses used by CloudFlare.

See https://support.cloudflare.com/hc/en-us/articles/200171916-Error-521-Web-server-is-down specifically

A 521 error occurs because the origin web server refused the connection from Cloudflare. This means we tried to connect to your origin on port 80 or 443 but received a 'connection refused' error.

This commonly happens under two conditions:

The origin web server process (e.g. Apache or Nginx) isn't running, or has crashed. You should check that your web server is running normally. You may also wish to check your server's error logs to see what caused this. If you are not sure how to do this, or don't have access to your logs, your host should be able to advise you.
Something on the web server or hosting provider's network is blocking Cloudflare's requests. Since Cloudflare acts as a reverse proxy, all connections to your server come from a Cloudflare IP. Since the same amount of traffic now comes from a smaller number of IPs, server-side security solutions can mistake the increase in connections from this smaller set of IPs as an attack, when they are legitimate. This leads to some of our IPs being blocked or rate-limited.
It's a good idea to ensure that all of our IP ranges are whitelisted in your server's firewall or any security software that you might be running. Our IP ranges can be found here:

IP Ranges

In my case I went to https://www.cloudflare.com/ips-v4 and obtained the CloudFlare IP addresses that should be whitelisted by my fail2ban configuration in /etc/fail2ban/jail.local, as per GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

After adding those IP addresses to the ignoreip value, I restarted fail2ban with /etc/init.d/fail2ban restart and my JavaScript serving problem was fixed.