I have a domain indiepaper.me, I have created a deployment and added A and AAA records to the correct ip addresses. I also created a certificate for the domain in my app, but it was not working so I switched off cloudflare proxy for it to work. Can I turn it back on after the certificate gets issued ?
Cloudflare allows a few different security settings for its proxy. If you had it set to ‘Full (Strict)’, it would expect a valid certificate on the server side. Once it’s issued, that mode should work, otherwise you could use ‘Full’ which allows untrusted certificates.
The certificate we issued for that domain is only good for 3 months, so it will work until it needs to renew. You can do DNS validation following the instructions in our UI to let us renew it even while it’s routed through CloudFlare.
You might also be able to create a CNAME record to
<app>.fly.dev, assuming CloudFlare will use the
<app>.fly.dev hostname/certificate when it connects.
I couldn’t find a way to use that CNAME in Cloudflare, as it looks like it uses the incoming request hostname when connecting to the origin. I know that Fastly does allow overriding the Host header for these situations.
I found some info here, but this requires using their load balancer. https://blog.cloudflare.com/per-origin-host-header-override
I fixed it the following way,
- Setup Domain in Cloudflare
- Setup Fly Ip addresses in Cloudflare
- Setup Cloudflare as Full SSL Mode
- Make records pass through only
- Generate Certificates
- Turn DNS Proxy back on
Since Fly needs to verify the ip address during certificate issue, I think this would pose a problem when the certificate expires. Is there any way to mitigate this, would setting up that optional CNAME for ACME verification help ?
DNS acme validation will work, yes. We’ll keep certs fresh when dns verification is in place.
Could you possibly add a flag such as
flyctl certs check --without-dns-verification for those who have set up cloudflare to work properly with letsencrypt (i.e. a page rule with
I tried your solution, to add A/AAAA ips with CF Proxy off, to gen certs (for api.mysite.com) then turn back on CF Proxying, but it doesn’t work after CF Proxies turn back on.
Trying to use a CName to see what happens, could that work with CF Proxy on? Otherwise looks like I can’t use CF and Fly together, need to turn off proxy for A/AAAA addresses.