Renew Let’s Encrypt for Cloudflare-powered websites with Apache Ubuntu

ubuntu
ssl

#1

Let’s Encrypt SSL fails to renew automatically on Cloudflare-powered sites. Whether it is Apache or Nginx, both use an authentication method called TLS-SNI-01 which is incompatible with Cloudflare or any other CDN. It will not work for both initial issuance and renewals.

So, if you need to use this method, you will always have to disable the CDN temporarily for initial issuance and renewals. Please note that this method only works if you have installed a separate certificate for each of your domain.

  • On Cloudflare, temporarily pause Cloudflare by going to the Overview tab, and activating ‘Pause Cloudflare on Site’ under the ‘Advanced Actions’ section:

  • Then, open your Apache web server and renew SSL individually for each domain using the following command.
    sudo certbot renew --cert-name example.com

  • Remember to replace example.com with your own domain name. Run the command separately for each of your domain names.

  • Once it has been successfully renewed, restart your Apache web server using the appropriate command.
    sudo service apache2 restart

  • Alternatively, you can also use the command:
    sudo restart apache2

  • Finally, check certificate renewal dates for your domain using the following command.
    sudo certbot certificates

  • Let’s Encrypt’s automatic renewal system will not work for websites powered by Cloudflare or any other CDN. So, note down the next renewal date and set reminders to do your next renewal by yourself following the same method.

  • Now, you shall go back to Cloudflare and select ‘Pause Cloudflare on Site’ under the Overview tab.

Note: This method only works if you have installed separate SSL certificates for each of your domain.


#2

And to remove/revoke a certificate for a particular domain, use the following command:

sudo certbot delete --cert-name example.com