Let’s Encrypt SSL fails to renew automatically on Cloudflare-powered sites. Whether it is Apache or Nginx, both use an authentication method called TLS-SNI-01 which is incompatible with Cloudflare or any other CDN. It will not work for both initial issuance and renewals.
So, if you need to use this method, you will always have to disable the CDN temporarily for initial issuance and renewals. Please note that this method only works if you have installed a separate certificate for each of your domain.
On Cloudflare, temporarily pause Cloudflare by going to the Overview tab, and activating Pause Cloudflare on Site under the Advanced Actions section:
Then, open your Apache web server and renew SSL individually for each domain using the following command.
sudo certbot renew --cert-name example.com
Remember to replace example.com with your own domain name. Run the command separately for each of your domain names.
Once it has been successfully renewed, restart your Apache web server using the appropriate command.
sudo service apache2 restart
Alternatively, you can also use the command:
sudo restart apache2
Finally, check certificate renewal dates for your domain using the following command:
sudo certbot certificates
Let’s Encrypt’s automatic renewal system will not work for websites powered by Cloudflare or any other CDN. So, note down the next renewal date and set reminders to do your next renewal by yourself following the same method.
Now, you shall go back to Cloudflare and select Enable Cloudflare on Site under the Advanced Actions section in the Overview tab.