Hey there, taking a look at a few different queries for your hostname I can see that there is an additional A record which points to an IP address outside of our network:
curl ipinfo.io/104.198.14.52
{
"ip": "104.198.14.52",
"hostname": "52.14.198.104.bc.googleusercontent.com",
There’s another cert that’s been in place since before this was added to the app, which I can see when curling https://mnyou.org and connecting on 104.198.14.52:
* start date: Apr 21 21:00:29 2022 GMT
* expire date: Jul 20 21:00:28 2022 GMT
* subjectAltName: host "mnyou.org" matched cert's "mnyou.org"
But there’s also cert configured for your Fly app from 2 days ago, which you can see when you force a connection over 66.51.120.170:
curl -vvv https://mnyou.org --resolve 'mnyou.org:443:66.51.120.170'
* Added mnyou.org:443:66.51.120.170 to DNS cache
* Hostname mnyou.org was found in DNS cache
* Trying 66.51.120.170:443...
* TCP_NODELAY set
* Connected to mnyou.org (66.51.120.170) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=mnyou.org
* start date: May 24 16:28:26 2022 GMT
* expire date: Aug 22 16:28:25 2022 GMT
* subjectAltName: host "mnyou.org" matched cert's "mnyou.org"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55f4b0ee92f0)
> GET / HTTP/2
> Host: mnyou.org
When you run that last command, are you running flyctl certs check hostname
or flyctl certs check mnyou.org
?
If you got that response while supplying your domain instead of hostname
, then it’s possible that the extra A record is tripping fly certs check
up. Thanks for the question!