Can I use CloudFlare proxying with Fly certificates ?

I have a domain indiepaper.me, I have created a deployment and added A and AAA records to the correct ip addresses. I also created a certificate for the domain in my app, but it was not working so I switched off cloudflare proxy for it to work. Can I turn it back on after the certificate gets issued ?

1 Like

Cloudflare allows a few different security settings for its proxy. If you had it set to ‘Full (Strict)’, it would expect a valid certificate on the server side. Once it’s issued, that mode should work, otherwise you could use ‘Full’ which allows untrusted certificates.

The certificate we issued for that domain is only good for 3 months, so it will work until it needs to renew. You can do DNS validation following the instructions in our UI to let us renew it even while it’s routed through CloudFlare.

You might also be able to create a CNAME record to <app>.fly.dev, assuming CloudFlare will use the <app>.fly.dev hostname/certificate when it connects.

1 Like

I couldn’t find a way to use that CNAME in Cloudflare, as it looks like it uses the incoming request hostname when connecting to the origin. I know that Fastly does allow overriding the Host header for these situations.

I found some info here, but this requires using their load balancer. https://blog.cloudflare.com/per-origin-host-header-override

I fixed it the following way,

  • Setup Domain in Cloudflare
  • Setup Fly Ip addresses in Cloudflare
  • Setup Cloudflare as Full SSL Mode
  • Make records pass through only
  • Generate Certificates
  • Turn DNS Proxy back on

Since Fly needs to verify the ip address during certificate issue, I think this would pose a problem when the certificate expires. Is there any way to mitigate this, would setting up that optional CNAME for ACME verification help ?

3 Likes

DNS acme validation will work, yes. We’ll keep certs fresh when dns verification is in place.

1 Like

Could you possibly add a flag such as flyctl certs check --without-dns-verification for those who have set up cloudflare to work properly with letsencrypt (i.e. a page rule with /.well-known/* allowed`)?

I tried your solution, to add A/AAAA ips with CF Proxy off, to gen certs (for api.mysite.com) then turn back on CF Proxying, but it doesn’t work after CF Proxies turn back on.

Trying to use a CName to see what happens, could that work with CF Proxy on? Otherwise looks like I can’t use CF and Fly together, need to turn off proxy for A/AAAA addresses.

I know this is extremely late but did you make sure to set CF SSL mode to “Full”?

Did you ever find a fix? I’m in the same position, even with Universal SSL disabled.

Nope, tried everything I found (from the date I posted the above comment) from the fly.io forms. Just gave up and there’s no CF proxy/firewall in front of my fly app.

Just hope no spam bombards it :slight_smile: