Can I use CloudFlare proxying with Fly certificates ?

I have a domain indiepaper.me, I have created a deployment and added A and AAA records to the correct ip addresses. I also created a certificate for the domain in my app, but it was not working so I switched off cloudflare proxy for it to work. Can I turn it back on after the certificate gets issued ?

Cloudflare allows a few different security settings for its proxy. If you had it set to ‘Full (Strict)’, it would expect a valid certificate on the server side. Once it’s issued, that mode should work, otherwise you could use ‘Full’ which allows untrusted certificates.

The certificate we issued for that domain is only good for 3 months, so it will work until it needs to renew. You can do DNS validation following the instructions in our UI to let us renew it even while it’s routed through CloudFlare.

You might also be able to create a CNAME record to <app>.fly.dev, assuming CloudFlare will use the <app>.fly.dev hostname/certificate when it connects.

I couldn’t find a way to use that CNAME in Cloudflare, as it looks like it uses the incoming request hostname when connecting to the origin. I know that Fastly does allow overriding the Host header for these situations.

I found some info here, but this requires using their load balancer. https://blog.cloudflare.com/per-origin-host-header-override

I fixed it the following way,

  • Setup Domain in Cloudflare
  • Setup Fly Ip addresses in Cloudflare
  • Setup Cloudflare as Full SSL Mode
  • Make records pass through only
  • Generate Certificates
  • Turn DNS Proxy back on

Since Fly needs to verify the ip address during certificate issue, I think this would pose a problem when the certificate expires. Is there any way to mitigate this, would setting up that optional CNAME for ACME verification help ?

1 Like

DNS acme validation will work, yes. We’ll keep certs fresh when dns verification is in place.

1 Like

Could you possibly add a flag such as flyctl certs check --without-dns-verification for those who have set up cloudflare to work properly with letsencrypt (i.e. a page rule with /.well-known/* allowed`)?