Can't create cert for domain + subdomain

Hi,

TL;DR

When I attempt to create a cert using flyctl certs create my-subdomain.my-domain.com the cert gets stuck in “Awaiting configuration” (so far for about ~1 hour).

Details

I’m attempting to point my-subdomain.my-domain.com at my-fly-app.fly.dev (fictional names here :wink:). I’m using CloudFlare to manage DNS. I created a DNS record “CNAME my-subdomain my-fly-app.fly.dev” under my-domain.com in CloudFlare. I then ran flyctl certs create my-subdomain.my-domain.com (I need the cert because I have strict end-to-end encryption turned on in CloudFlare). The output included a list of warnings (“A Record does not match app’s IP”, “AAAA Record does not match app’s IP”, “Address resolution does not match app’s IP”) followed by instructions to setup the CNAME that I already created. Fly shows the cert in the “Awaiting configuration” state seemingly indefinitely.

What I’ve tried

I’ve tried 1) removing and re-creating the cert 2) re-running Fly’s checks against the cert 3) adding the _acme-challenge verification CNAME 4) using A and AAAA records instead of the CNAME 5) waiting and repeating steps 1-4 in various sequences both from the CLI and the UI :sweat_smile:. Interestingly enough I was able to get through to the “Awaiting certificates” state fairly quickly (5 mins) by requesting a wildcard certificate (*.my-domain.com) instead of a certificate for a specific subdomain. I don’t need the wildcard certificate though, and it feels weird to have it because although I will be using 2-3 subdomains each subdomain will point to a different app (so each app would have to have it’s own redundant wildcard cert).

Any ideas? Thanks in advace!

Cloud Flare proxies CNAMEs by default, I think. Will you see if the proxy is enabled and turn it off if it is?

Ha fixed, thank you!! I did not realize that icon was clickable :sweat_smile:.

1 Like

It’s a total dark pattern. I hate it.

@kurt we are running a Cloudflare worker in front of our fly app - and in order to use a worker the CNAME must be proxied on the Cloudflare side. Do you know if this will be an issue for automated renewal of the Let’s Encrypt cert on the fly side? Thanks!

@eadmundo Hi, I’ve had my fair share of battles with Cloudflare :slight_smile: In my experience you will indeed run into an issue on the Fly side with that setup (as in, just a CNAME). Since Lets Encrypt will check your CNAME and find it does not match what is expects (Fly). It will instead return a Cloudflare IP. And so fail its validation. Handily you can solve the issue by adding another sibling DNS record: an acme-challenge. Fly provides that value. That acme-challenge DNS record should be non-proxied (ie grey-cloud) in the Cloudflare DNS page. And that way, even though your domain’s CNAME is proxied (orange-cloud) - as it needs to be, for the Worker to, er, work - the acme-challenge record not being proxied means Lets Encrypt sees the value it needs to, and passes

2 Likes

Brilliant, thanks @greg - I will give that a go!

1 Like