Can I use CloudFlare proxying with Fly certificates ?

I have a domain, I have created a deployment and added A and AAA records to the correct ip addresses. I also created a certificate for the domain in my app, but it was not working so I switched off cloudflare proxy for it to work. Can I turn it back on after the certificate gets issued ?

1 Like

Cloudflare allows a few different security settings for its proxy. If you had it set to ‘Full (Strict)’, it would expect a valid certificate on the server side. Once it’s issued, that mode should work, otherwise you could use ‘Full’ which allows untrusted certificates.

The certificate we issued for that domain is only good for 3 months, so it will work until it needs to renew. You can do DNS validation following the instructions in our UI to let us renew it even while it’s routed through CloudFlare.

You might also be able to create a CNAME record to <app>, assuming CloudFlare will use the <app> hostname/certificate when it connects.

1 Like

I couldn’t find a way to use that CNAME in Cloudflare, as it looks like it uses the incoming request hostname when connecting to the origin. I know that Fastly does allow overriding the Host header for these situations.

I found some info here, but this requires using their load balancer.

I fixed it the following way,

  • Setup Domain in Cloudflare
  • Setup Fly Ip addresses in Cloudflare
  • Setup Cloudflare as Full SSL Mode
  • Make records pass through only
  • Generate Certificates
  • Turn DNS Proxy back on

Since Fly needs to verify the ip address during certificate issue, I think this would pose a problem when the certificate expires. Is there any way to mitigate this, would setting up that optional CNAME for ACME verification help ?


DNS acme validation will work, yes. We’ll keep certs fresh when dns verification is in place.

1 Like

Could you possibly add a flag such as flyctl certs check --without-dns-verification for those who have set up cloudflare to work properly with letsencrypt (i.e. a page rule with /.well-known/* allowed`)?

I tried your solution, to add A/AAAA ips with CF Proxy off, to gen certs (for then turn back on CF Proxying, but it doesn’t work after CF Proxies turn back on.

Trying to use a CName to see what happens, could that work with CF Proxy on? Otherwise looks like I can’t use CF and Fly together, need to turn off proxy for A/AAAA addresses.

I know this is extremely late but did you make sure to set CF SSL mode to “Full”?

Did you ever find a fix? I’m in the same position, even with Universal SSL disabled.

Nope, tried everything I found (from the date I posted the above comment) from the forms. Just gave up and there’s no CF proxy/firewall in front of my fly app.

Just hope no spam bombards it :slight_smile:

Did you try re-enabling Universal SSL after verification? I was struggling to get it to work until I did that and then suddenly got green lights.

You can authorize certificates through Cloudflare using the acme_challenge CNAME on Fly’s certificate page. That CNAME must be unproxied, but it is to hostname provided by and doesn’t reveal your app.

Cloudflare will default to trying to access your origin via HTTP. If you don’t allow that, you can set TLS to full, or create a Cloudflare configuration rule that changes the TLS for your proxied domain to full or higher.