There is a site I have more recently been working on. They are hosted on AWS EC2 with Cloudflare active on the primary domain, and there's a secondary domain not associated with Cloudflare that is pointed directly at the AWS IP address, which is simply redirected to the primary domain, however it is used for email.
In Cloudflare, there is an Edge certificate on the primary domain, and Full encryption mode is enabled and it says it's active / working: https://cln.sh/TvfQNLjq
On the server, there is a Let's Encrypt SSL cert covering the main domain and the redirected domain. I did not set this up.
I believe that SSL cert is supposed to auto-renew, but it did not and it recently expired. I went to renew it using the bncert tool but it's giving an error that the primary domain "resolves to a different IP address", which I'm sure is due to Cloudflare.
The primary domain is seemingly unaffected by the SSL cert expiration. The redirected domain however is giving the “Connection Not Private” error.
What is the best solution here, should I override it, or remove the primary domain from the cert?
By overriding I am referring to:
sudo /opt/bitnami/bncert-tool --perform_public_ip_validation 0 --perform_dns_validation 0
If I override it, does the cert still cover the primary domain?
Solution: I found out that Cloudflare actually has a setting where you can just temporary pause it, without having to change any DNS settings or anything: https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/manage-domains/pause-cloudflare/
Once I paused it, it only took minutes for the DNS to update which meant the "resolves to a different IP address" error no longer came up. So then I was able to renew the SSL cert without any issue, and then re-enable Cloudflare.