Access to the raw TLS certs via the Fly API

Hi :wave: ,

The support for custom TLS certs is excellent.

One (obvious?) limitation is that it requires using the TLS middleware. For use cases where that isn’t possible or desired, would it be possible to have access to the certs directly via the API?

There are a few http proxies (Caddy, Envoy, etc.) that support loading certs from disk/api/storage and it’d be excellent to be able to query Fly’s vault for the certs based on the incoming request without having to interact with Let’s Encrypt directly.

The equivalent of flyctl certs get example.com would be dope :lock: :sparkles:

Please charge me for this :moneybag: :smiley:

3 Likes

That’s a good idea. We’ve made this harder to implement than you’d think because security. Our API/web layer can’t actually read private keys for certificates back out of vault, only the edge nodes can.

We’ve been thinking about exposing a private API over 6pn that could be a useful place to do something like this.

Seconding this. I have an app that cannot use the tls middleware (because starttls) and it would be nice not to manage letsencrypt runs from inside the app myself.

Out of curiosity, how would you want to verify certificate ownership? If we’re not handling TLS, it would almost have to but a CNAME _acme-verification record.

In my case I’m happy for fly.io to continue to handle HTTPS for the app, but I have another port a service is running on and that other service needs direct access to the cert.

Oh that makes sense!

1 Like