I have a domain indiepaper.me, I have created a deployment and added A and AAA records to the correct ip addresses. I also created a certificate for the domain in my app, but it was not working so I switched off cloudflare proxy for it to work. Can I turn it back on after the certificate gets issued ?
1 Like
Cloudflare allows a few different security settings for its proxy. If you had it set to âFull (Strict)â, it would expect a valid certificate on the server side. Once itâs issued, that mode should work, otherwise you could use âFullâ which allows untrusted certificates.
The certificate we issued for that domain is only good for 3 months, so it will work until it needs to renew. You can do DNS validation following the instructions in our UI to let us renew it even while itâs routed through CloudFlare.
You might also be able to create a CNAME record to <app>.fly.dev, assuming CloudFlare will use the <app>.fly.dev hostname/certificate when it connects.
1 Like
I couldnât find a way to use that CNAME in Cloudflare, as it looks like it uses the incoming request hostname when connecting to the origin. I know that Fastly does allow overriding the Host header for these situations.
I found some info here, but this requires using their load balancer. https://blog.cloudflare.com/per-origin-host-header-override
I fixed it the following way,
- Setup Domain in Cloudflare
- Setup Fly Ip addresses in Cloudflare
- Setup Cloudflare as Full SSL Mode
- Make records pass through only
- Generate Certificates
- Turn DNS Proxy back on
Since Fly needs to verify the ip address during certificate issue, I think this would pose a problem when the certificate expires. Is there any way to mitigate this, would setting up that optional CNAME for ACME verification help ?
3 Likes
DNS acme validation will work, yes. Weâll keep certs fresh when dns verification is in place.
3 Likes
Could you possibly add a flag such as flyctl certs check --without-dns-verification for those who have set up cloudflare to work properly with letsencrypt (i.e. a page rule with /.well-known/* allowed`)?
I tried your solution, to add A/AAAA ips with CF Proxy off, to gen certs (for api.mysite.com) then turn back on CF Proxying, but it doesnât work after CF Proxies turn back on.
Trying to use a CName to see what happens, could that work with CF Proxy on? Otherwise looks like I canât use CF and Fly together, need to turn off proxy for A/AAAA addresses.
I know this is extremely late but did you make sure to set CF SSL mode to âFullâ?
Did you ever find a fix? Iâm in the same position, even with Universal SSL disabled.
Nope, tried everything I found (from the date I posted the above comment) from the fly.io forms. Just gave up and thereâs no CF proxy/firewall in front of my fly app.
Just hope no spam bombards it 
Did you try re-enabling Universal SSL after verification? I was struggling to get it to work until I did that and then suddenly got green lights.
You can authorize certificates through Cloudflare using the acme_challenge CNAME on Flyâs certificate page. That CNAME must be unproxied, but it is to hostname provided by Fly.io and doesnât reveal your app.
Cloudflare will default to trying to access your Fly.io origin via HTTP. If you donât allow that, you can set TLS to full, or create a Cloudflare configuration rule that changes the TLS for your Fly.io proxied domain to full or higher.
2 Likes