bypassing certificate DNS validation

I am attempting to use Cloudflare in front of Fly, a configuration that has Just Worked in the past for me with Caddy rather then Fly. As long as the HTTP-01 challenge is still able to be routed to the service, it’s possible to get a LE certificate. However, this doesn’t seem to work, because Fly checks that the DNS is pointed directly at Fly, and prevents the use of this external solution. Is there a workaround, to force it to get the certificate anyway?


As I recall you could either verify ownership of a custom domain using A/AAAA records (which won’t work if those are “orange cloud” in Cloudflare, as you say, because it will return its IP instead of Fly’s) or use a CNAME to

Maybe try that :thinking:

Possibly related but there’s a load of discussion on Cloudflare about it returning phantom TXT records causing problems with LetsEncrypt verification of proxied domains. It’s not clear if that’s now resolved or still causing an issue:

Well… I have the cname to my app set up. I just don’t know how to get fly to not make a DNS check, and just try for the certificate challenge. It will succeed, as cloudflare proxies the LE request as long as it doesn’t have force HTTPS enabled. I’d rather not be manually reconfiguring it every time.

Er … I don’t believe you can control what Fly-bot does to check. I’d assume it checks each type of record and if it finds a valid one, it passes.

I wonder if your domain is, if …

CNAME (orange cloud)


CNAME → (grey cloud)

… is the combination you need :thinking:

If you run flyctl certs show it may show you the correct CNAME to use for that second record. Since that way Fly never sees a Cloudflare IP back … and so in theory should pass its checks.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.