Awaiting Certificates

Hi Fly folks. :wave:

I’m trying to setup MinIO with a custom domain name and I’m hitting a snag. I tried setting up using the speed run instructions from the blog post and added A and AAAA records but that seemed to not issue the certificate. I realized that I probably wanted CNAME instead so switched the DNS records per the docs page but I’m still not seeing it issued.

$ fly certs show minio.test.litestream.io
The certificate for minio.test.litestream.io has not been issued yet.

Hostname                  = minio.test.litestream.io

DNS Provider              = name

Certificate Authority     = Let's Encrypt

Issued                    = 

Added to App              = 22 hours ago

Source                    = fly

Your certificate for minio.test.litestream.io is being issued. Status is Awaiting certificates.

I’m sure I’m doing something dumb but I’m not sure what. Do I need to remove the cert and start over? Also, I haven’t seen any instructions regarding an acme challenge mentioned in other posts so maybe that’s what I’m missing?

I believe A/AAAA or CNAME is fine with certs.

Do you use Cloudflare for the DNS? Only its orange-cloud/proxy DNS records can cause issues, I’ve found. The DNS record may need to be grey-cloud/non-proxy.

Failing that, it’s worth trying adding the acme challenge DNS entry too. The CLI does not reveal that as far as I know, so you have to get it from the Fly.io dashboard. If you sign in to that, click on the app, and look at certificates in there it should show the DNS entry to add. Which again, will need to be non-proxied (if using something like Cloudflare).

Failing that … not sure!

1 Like

We’re checking on this. A/AAAA should be fine, but so should CNAME!

@benbjohnson ok we figured it out. Your app doesn’t have a service on port 443, so we can’t issue the certificate (Lets Encrypt only connects to 443). If you add port 443 to your app config, you should be good to go.

Yep, it was the port 443. Thanks!

I’m also having this issue. How do you add the port? If it’s in toml file then it’s already there.

app = my-app

kill_signal = "SIGINT"
kill_timeout = 5
processes = []

[env]
  PORT = "8080"

[experimental]
  allowed_public_ports = []
  auto_rollback = true

[[services]]
  http_checks = []
  internal_port = 8080
  processes = ["app"]
  protocol = "tcp"
  script_checks = []

  [services.concurrency]
    hard_limit = 25
    soft_limit = 20
    type = "connections"

  [[services.ports]]
    handlers = ["http"]
    port = 80

  [[services.ports]]
    handlers = ["tls", "http"]
    port = 443

  [[services.tcp_checks]]
    grace_period = "1s"
    interval = "15s"
    restart_limit = 0
    timeout = "2s"

I have solved the issue with CNAME record temporary, but I would like to do via A & AAAA records.
For that, what to do? I mean on fly side and my application. I have followed the whole documentation.

You can see your app IPs with fly ips list. Set an AAAA record pointing to the IPv6 address, and set an A record pointing to the IPv4 address and you’ll be good!

yeah but I have already done that, it was awaiting for certification (Your certificate for … is being issued. Status is Awaiting certificates.) for a few hours. Then I did research in here, it says

Awaiting Certificates - #4 by kurt

So, say my config is right, no problem? It’s just a matter of time on DNS?

Certificates should be generated within a few minutes. If they aren’t, something is probably misconfigured.

Okay, so, is it safe to remove CNAME record and create A & AAAA records? Will it effect the current certificate?