Can I use CloudFlare proxying with Fly certificates?

aswinmohanme · May 28, 2021, 9:14am

I have a domain indiepaper.me, I have created a deployment and added A and AAA records to the correct ip addresses. I also created a certificate for the domain in my app, but it was not working so I switched off cloudflare proxy for it to work. Can I turn it back on after the certificate gets issued ?

jsierles · May 28, 2021, 9:52am

Cloudflare allows a few different security settings for its proxy. If you had it set to ‘Full (Strict)’, it would expect a valid certificate on the server side. Once it’s issued, that mode should work, otherwise you could use ‘Full’ which allows untrusted certificates.

kurt · May 28, 2021, 3:41pm

The certificate we issued for that domain is only good for 3 months, so it will work until it needs to renew. You can do DNS validation following the instructions in our UI to let us renew it even while it’s routed through CloudFlare.

You might also be able to create a CNAME record to <app>.fly.dev, assuming CloudFlare will use the <app>.fly.dev hostname/certificate when it connects.

jsierles · May 28, 2021, 4:13pm

I couldn’t find a way to use that CNAME in Cloudflare, as it looks like it uses the incoming request hostname when connecting to the origin. I know that Fastly does allow overriding the Host header for these situations.

jsierles · May 28, 2021, 4:21pm

I found some info here, but this requires using their load balancer. https://blog.cloudflare.com/per-origin-host-header-override

aswinmohanme · May 28, 2021, 6:57pm

I fixed it the following way,

Setup Domain in Cloudflare
Setup Fly Ip addresses in Cloudflare
Setup Cloudflare as Full SSL Mode
Make records pass through only
Generate Certificates
Turn DNS Proxy back on

Since Fly needs to verify the ip address during certificate issue, I think this would pose a problem when the certificate expires. Is there any way to mitigate this, would setting up that optional CNAME for ACME verification help ?

kurt · May 28, 2021, 7:02pm

DNS acme validation will work, yes. We’ll keep certs fresh when dns verification is in place.

nahtnam · December 5, 2021, 5:05am

Could you possibly add a flag such as flyctl certs check --without-dns-verification for those who have set up cloudflare to work properly with letsencrypt (i.e. a page rule with /.well-known/* allowed`)?

testtester · April 25, 2022, 3:21am

I tried your solution, to add A/AAAA ips with CF Proxy off, to gen certs (for api.mysite.com) then turn back on CF Proxying, but it doesn’t work after CF Proxies turn back on.

Trying to use a CName to see what happens, could that work with CF Proxy on? Otherwise looks like I can’t use CF and Fly together, need to turn off proxy for A/AAAA addresses.

uncvrd · August 29, 2022, 4:28pm

I know this is extremely late but did you make sure to set CF SSL mode to “Full”?

fmckeogh · September 20, 2022, 5:12pm

Did you ever find a fix? I’m in the same position, even with Universal SSL disabled.

testtester · September 27, 2022, 4:20am

Nope, tried everything I found (from the date I posted the above comment) from the fly.io forms. Just gave up and there’s no CF proxy/firewall in front of my fly app.

Just hope no spam bombards it

fmckeogh · October 1, 2022, 1:47pm

Did you try re-enabling Universal SSL after verification? I was struggling to get it to work until I did that and then suddenly got green lights.

eruanno · December 14, 2022, 3:30am

You can authorize certificates through Cloudflare using the acme_challenge CNAME on Fly’s certificate page. That CNAME must be unproxied, but it is to hostname provided by Fly.io and doesn’t reveal your app.

Cloudflare will default to trying to access your Fly.io origin via HTTP. If you don’t allow that, you can set TLS to full, or create a Cloudflare configuration rule that changes the TLS for your Fly.io proxied domain to full or higher.

jattoade · October 19, 2023, 5:24pm

Is the generation of Certificate done on Cloudflare as well as on Fly.io?

mboyea · March 6, 2025, 4:25am

Hello!

I was unable to get my website to work with a Fly SSL certificate while the CloudFlare proxy was enabled. I tried as many combinations of settings as I could find, but none worked. It seems that Fly SSL is not capable of supporting CDN like Cloudflare.

I figured out how to use the CloudFlare proxy in front of the Fly server anyways. My end goal was to:

Force https with a valid SSL certificate
Allow Cloudflare to proxy the site so you can setup DDOS protection, caching, and redirect rules.

How to Use Fly SSL

I found the only way for Fly SSL certs to work was to disable Cloudflare features:

Disable proxies on all A and AAAA and CNAME records that link to your Fly app in [DNS > Records].

image212×138 2.32 KB
Disable universal SSL in [SSL/TLS > Edge Certificates].

image440×110 1.97 KB

This gave me a working website with SSL provided by flyctl certs and http->https redirection provided by the Fly server via [http_service] force_https = true.

However, I still needed a way to redirect from *.com to www.*.com for my application to work as expected. And Cloudflare can’t perform redirects unless you enable their proxy! So I figured, maybe I can use a SSL certificate generated by Cloudflare instead of Fly.

How to Use Cloudflare SSL

Use flyctl certs remove to delete any certificates listed by flyctl certs list.
Select Full (Strict) in [SSL/TLS > Overview > Configure > Custom SSL/TLS].

image1366×736 41.5 KB
Enable universal SSL in [SSL/TLS > Edge Certificates].
Enable proxies on all AAAA and CNAME records that link to your Fly app in [DNS > Records].

image218×132 2.04 KB
Delete any A records in [DNS > Records]; the Cloudflare proxy will provide IPv4 addresses for DNS internally; Fly shared IPs mess up Cloudflare (see Cloudflare 525 error randomly occurs - #45 by morse).

This gets the website live, and working with HTTPS as before. Except now, we can take advantage of our cloudflare proxy! In my case, I made some redirect rules in [Rules > Overview > + Create Rule > Redirect Rule]:

Rule name	If incoming requests match…	Request URL	Target URL	Status code	Place at
http:https	Wildcard Pattern	`http://*`	`https://${1}`	301	First
@:www	Wildcard Pattern	`https://example.com*`	`https://www.example.com${1}`	301	Last

Now the website works according to my needs.

In conclusion, I think it’s best to not use flyctl certs with Cloudflare, if you want to take advantage of Cloudflare’s proxy features. Have Cloudflare manage your SSL certs instead.

Edit: Fixes to avoid error 525 when accessing content through Cloudflare (See Cloudflare 525 error randomly occurs).

tiagocesar · March 30, 2025, 10:39am

I usually avoid making comments for the sake of “thank you,” but dude, seriously, thank you. I’ve been dealing with this issue for three days, and now it’s solved, thanks to your findings.

So now I’m:

only setting AAAA records in CF
removing the IPv4 record in Fly (since CF can seamlessly handle the traffic for clients that don’t support IPv4)
able to issue the certificates on Fly again

Topic		Replies	Views
bypassing certificate DNS validation certificates	4	286	December 3, 2023
SSL renewal when using Cloudflare Proxy Questions / Help certificates	4	759	December 25, 2023
Unable to get SSL cert issued with Cloudflare proxy Questions / Help	3	1613	May 3, 2022
How to get certs DNS validation target? Questions / Help	4	845	October 7, 2023
Cloudflare custom domain configuration Questions / Help	4	3368	November 11, 2023

Can I use CloudFlare proxying with Fly certificates?

How to Use Fly SSL

How to Use Cloudflare SSL

Related topics