Timed / Scheduled Pausing of DNS CDN for a subdomain

Hey Community,

I can only seem to find an article telling me how to temporarily disable CDN but this I already know to fix my problem manually.

In short I run certbot on a cron and would very much like to maintain my own valid SSL certs despite using CDN on this sub domain 99.9% of the time.

However, certbot fails when CDN picks of the phone on domain verification, if you catch my drift.

My aim is a configuration, app or script which I can configure to +/- 1hr around the time of my cronjob which checks the certs at the end of every month. This would disable CDN allowing certbot to renew then an hour after that it will switch CDN back on.

Fairly sure this isn’t a dupe, I’ve been searching this for ages and can’t see a clever way to do it.
Hopefully my description makes sense.

Pausing Cloudflare involves DNS propagation, so you will never have a guarantee that a two hour window will be sufficient.

I’d expect the verification to go through even with Cloudflare on. If it doesnt you might want to check why and fix that. Alternatively you could choose a different method than HTTP. DNS verification for example.

1 Like

Thanks, I’ve just been working to reset the board so to speak.

I thought since no actual DNS values changed, just what Cloudflare DNS servers do with the request, it would be instant, but this must just be me getting lucky when I’ve disabled and it’s become instantly transparent.

I’ll keep an eye out for the HTTP renewal error, but it pushes without issue when CDN is disabled. I’ll just need to troubleshoot it come the time, all steps performed on last occurrence pointed to CDN.

Ehm, when you pause Cloudflare all proxied records become unproxied.

It’s a single sub domain having HTTP proxy disabled, not a global pause. This tells me the HTTP challenge will never work when it’s enabled, this is confirmed by my tests disabling it.

Since all other DNS servers come to Cloudflare DNS for my IP (or the proxy IP), their change should be quick.

I understand propagation if I add a new A, Cname etc. or Switch NS but so far on my side HTTP proxy disable has been almost instantaneous both on my side and from letsencrypt challenge servers.

But OK, let’s chalk that up to luck and then assume the worst case for propagation times.

My point is, the 2 hour window was a quick estimate based on the tests I’ve performed so even if propagation is an issue here, I’ll just increase the window.

Original Question :
Can I set a dumb timer to Disable then Enable CDN/HTTP Proxy for a single Subdomain under DNS settings?
Alternatively, is there API access to switch this on and off, then I can just rig the timer myself?

It would be great to have some ammo on these two fronts because if I start to see the challenge error in logging again I’m at risk of exceeding renewal requests on a bad challenge which is a world of pain to recover from. If I trigger this on the next cron schedule I’ll have new logs for reference, but with an answer to my automation question, I’ll be able to prevent the excessive bad requests until I can find the reason (other than the obvious) for the challenge failure.

You can pause it via the API

https://api.cloudflare.com/#zone-edit-zone

Alternatively you can also switch a record via the API -> https://api.cloudflare.com/#dns-records-for-a-zone-update-dns-record

Though your DNS setup is not clear to me. If the record is not proxied anyhow, you dont need to pause anything in the first place.

Thanks API DNS Update with proxy flag looks like the best for now. I don’t really want to alter the NS records.

It will be proxied, but I have to disable it for a renewal to work. Having just performed this in the time it took the cloud to go orange > grey and me to do new tab and load my site, I’m getting the proper (expiring) cert instead of Cloudflare cert. From here I renew then enable proxy til next time. Changing renewal method seems a lot of foundation digging when I can just open and close the curtains for a period of time.

Skimming this topic, I’m pretty sure Pausing Cloudflare is a 5 minute propagation. If the record is set to Auto TTL or if it’s :orange:, then TTL is 5 minutes. That should be quick enough for a brief Certbot renewal.

1 Like

What you are trying to do is completely unnecessary. You can validate using the DNS-01 method.

Certbot has a plugin to do this. Personally, I use acme.sh to do the same thing, but there are other options, including rolling your own.

You provide your Cloudflare API key, and instead of putting a special file in place, you put a special DNS record in place. The result is the same, but no need to :grey: or otherwise disable the SSL configuration on your Cloudflare zones.

1 Like

Thanks for the input but it doesn’t cover the original question - The response I’ve marked as the solution prior does.

Everyone’s solutions are completely unnecessary when you seek to replace the entire set up which begged the solution in the first place.