CDN

Certbot cron will NOT work if CDN is configured?

https://certbot.eff.org/lets-encrypt/debianstretch... It will return an

sudo certbot renew --dry-run

error because the certificates have already expired and the site has been lying for a week.

Certificates cannot be updated because the CDN redirects traffic to SSL, and the cron needs http.

How then to configure auto-update of certificates?

Processing /etc/letsencrypt/renewal/test.tv.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.test.tv
http-01 challenge for test.tv
 http-01 challenge for www.test.tv
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (test.tv) from /etc/letsencrypt/renewal/test.tv.conf produced an unexpected error: Failed authorization procedure. test.tv (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://test.tv/.well-known/acme-challenge/55VUbTll9UlH6K6BplHvw4_Hm-qZ9xuS-1pR2w52beU [2606:4700:30::6812:3cee]: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n<meta name=\"viewport\"", www.test.tv (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.test.tv/.well-known/acme-challenge/BT1zNZME8ybA8b9VDJFPEwXRLSPCCirlARmCDiDNf34 [2606:4700:30::6812:3dee]: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n<meta name=\"viewport\"", pgsql4.admin.test.tv (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for pgsql4.admin.test.tv, api.test.tv (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://api.test.tv/.well-known/acme-challenge/ota9EFkeKXgigiLiqK-ZkBCymnZ_ln3IAVg4yx7OW8k [2606:4700:30::6812:3cee]: 404. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/adminpgsql4.test.tv.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for adminpgsql4.test.tv
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (adminpgsql4.test.tv) from /etc/letsencrypt/renewal/adminpgsql4.test.tv.conf produced an unexpected error: Failed authorization procedure. adminpgsql4.test.tv (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for adminpgsql4.test.tv. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/test.tv-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/test.tv/fullchain.pem (failure)
  /etc/letsencrypt/live/adminpgsql4.test.tv/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
...
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: adminpgsql4.test.tv
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up A for adminpgsql4.test.tv
 - The following errors were reported by the server:

   Domain: adminpgsql4.test.tv
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up A for adminpgsql4.test.tv
 - The following errors were reported by the server:

   Domain: api.test.tv
   Type:   unauthorized
   Detail: Invalid response from
   https://api.test.tv/.well-known/acme-challenge/PsUxuUXsnJp7v1Yc3V_kqd2JsFozuCAjiu6wJ9AUVsE
   [2606:4700:30::6812:3cee]: 404

   Domain: www.test.tv
   Type:   unauthorized
   Detail: Invalid response from
   https://www.test.tv/.well-known/acme-challenge/q0fdANy0sFy0VyIq9oenBFZjCJHEmDpo3uKBUO6Q0gA
   [2606:4700:30::6812:3dee]: "<!DOCTYPE html>\n<html>\n<head>\n<meta
   charset=\"utf-8\">\n<meta http-equiv=\"X-UA-Compatible\"
   content=\"IE=edge\">\n<meta name=\"viewport\""

   Domain: test.tv
   Type:   unauthorized
   Detail: Invalid response from
   https://test.tv/.well-known/acme-challenge/N9mwBk_5P23c2S3kxck3eUv7C1aSNxH3jk-qN1hdNJw
   [2606:4700:30::6812:3dee]: "<!DOCTYPE html>\n<html>\n<head>\n<meta
   charset=\"utf-8\">\n<meta http-equiv=\"X-UA-Compatible\"
   content=\"IE=edge\">\n<meta name=\"viewport\""

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

Now, in order to restore the site, it is necessary to manually disable SLL for each certificate, which cannot be done and reconfigure domains for http, reissue certificates, now wait until the indexing is completed and configure it under SLL again.

UPD: https://community.letsencrypt.org/t/impossible-to-...
UPD. If you update certificates before they expired

sudo certbot renew --webroot -w /var/www/letsencrypt

this approach works. You just need to create a folder for temporary keys. For command crons, it is also worth using the webroot plugin