Thanks for the reporting this, we'll try to look at it as soon as we can
> BTW: That wouldn't have happened if LetsEncrypt certs were used, because their "certbot" renews them automatically.
We do but the problem here is multiple, while Fastly correctly renew pkg.jenkins.io certificate at his level. the backend still use `pkg.jenkins.io` endpoint and that certificate can't be renewed as it doesn't pass the HTTP check now that `pkg.jenkins.io` redirect to Fastly.
I update the backend to use pkg.origin.jenkins.io instead of pkg.jenkins.io
The second issue is that the certbot version installed on pkg.origin.jenkins.io is quiet old and need to be upgrade as it relies on the ACME api v1 and we can't request a new certificate for pkg.origine.jenkins.io.