Domain based autorenewal with CDN

Is there any way to setup domain based autorenewal if im using a CDN?
Im hosting on GCP and using Akamai, renewal fails every time.
Reading the documentation i see it needs plain http traffic for file validation (i force https with the CDN)
Is DNS validation the only way?

Hi @neo_doomtrain


A redirect http -> https isn't a problem.

It's a question of your client configuration.

Certbot --> --webroot

Well you could also be having trouble because the current configuration requires the CDN to terminate the TLS (https) connections.
So that HTTP would have reached your (backend) server, but that is being redirected to HTTPS.
And the CDN isn't passing all of the HTTPS requests to your (backend) server.
Most CDNs will usually provide you with an option to obtain a cert directly from them for this back channel communication and handle the the client side cert on their own.
Again, here there are many available vendor choices to make within the CDN configuration, so you may need to review their documentation and follow their recommendations.

Thanks Juergen, i gather that it should follow the http->https redirect then. I'll try to work on this a little more.

Personally, I would switch to a DNS based system and use acme-dns to handle the automation.

From my experience with Akamai and other automated systems, this insight by @rg305 had always been the problem:

You can set bypass rules in the Akamai management console, but it is a pain and you will likely end up creating a mess of "exceptions" that are not documented and will confuse the next person who has to handle your integration. I would just leave the HTTP/HTTPS traffic as-is and switch over to managing everything via DNS.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.