cert not being issued after 12h

I have a cert that I added to my app about 12h ago or so and still hasn’t issued. I tried to recreate it this morning but I keep getting this message

The certificate for sumiu.link has not been issued yet.

Hostname                  = sumiu.link

DNS Provider              = cloudflare

Certificate Authority     = Let's Encrypt

Issued                    = 

Added to App              = 36 minutes ago

Source                    = fly

Your certificate for sumiu.link is being issued. Status is Awaiting certificates. Make sure to create another certificate for www.sumiu.link when the current certificate is issued. 

and this is the Cloudflare configuration

I wonder if this is because I recreated this app multiple times (and so recreated the cert too)

2 Likes

I have the exact same problem.
Everything was working fine but I recreated the app. Now it looks like it’s stuck with the issuing part.

Is it working for you luizkowalski?
For me it looks like this now:

Screenshot 2023-01-04 at 15.04.01

just like that for me too

I seem to be having the same issue for the two domains I set up yesterday

deployed 17 and 18 hours ago respectively, but both are giving the same message:

Your certificate for lambda.garden is being issued. Status is Awaiting certificates. Make sure to create another certificate for www.lambda.garden when the current certificate is issued.

both applications are in the DEN region

Same here, app is from SEA, singapore

Hostname                  = mejamakan.my

DNS Provider              = cloudflare

Certificate Authority     = Let's Encrypt

Issued                    = 

Added to App              = 1 day ago

Source                    = fly
1 Like

Same here. I’m also getting IPv6 connection failures from my v6-enabled ISP and when checking ALPN-01 via https://letsdebug.net/ (its an apex domain): 2a09:8280:1::a:[masked]: Connection reset by peer

1 Like

@luizkowalski hey, i see you domain is running. Did you do anything in particular to fix it?

1 Like

mine doesn’t validate ECDSA Nor NSA :frowning:

hey! i did nothing. just disabled cloudflare and set up dns in namecheap. also: RSA looks green for me now

Same issue here. It’s been about 4 hours now and it seems to be stuck waiting for certificates.

Same issue here. Spent many hours since yesterday to figure out the issue but this is really hard to debug as an end user. I’m also using Cloudflare. I tried multiple times, waited over 7 hours first time but still no luck and seeing your cert is being issued message.

@eric24 I don’t see a certificate on any of your apps. Will you run fly certs create <hostname> and then I can look again at how it’s configured?

@willfore yours appears to be a problem with Lets Encrypt connecting to the IPv6 on your application. We’re looking into this, it’s a weird bug.

@here It looks like we’re having routing issues cause problems with some of the new IPv6 addresses apps get. We’re investigating these, but these might be the cause of new certificate failures.

4 Likes

I did flyctl certs create mydomain.com and received Error Hostname already exists on app message.

Hostname                  = mydomain.com
DNS Provider              = cloudflare
Certificate Authority     = Let's Encrypt
Issued                    =
Added to App              = 1 hour ago
Source                    = fly

Thanks Kurt. I appreciate it!

Same issue.

The certificate for api.staging.thesemetrics.dev has not been issued yet.

Hostname                  = api.staging.thesemetrics.dev

DNS Provider              = digitalocean

Certificate Authority     = Let's Encrypt

Issued                    = 

Added to App              = 51 minutes ago

Source                    = fly
dig aaaa api.staging.thesemetrics.dev

; <<>> DiG 9.10.6 <<>> aaaa api.staging.thesemetrics.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30116
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;api.staging.thesemetrics.dev.	IN	AAAA

;; ANSWER SECTION:
api.staging.thesemetrics.dev. 1800 IN	AAAA	2a09:8280:1::6:c536

;; Query time: 147 msec
;; SERVER: 2001:4e8:0:4008::12#53(2001:4e8:0:4008::12)
;; WHEN: Fri Jan 06 12:08:42 PST 2023
;; MSG SIZE  rcvd: 85
dig cname _acme-challenge.api.staging.thesemetrics.dev

; <<>> DiG 9.10.6 <<>> cname _acme-challenge.api.staging.thesemetrics.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11652
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.api.staging.thesemetrics.dev. IN CNAME

;; ANSWER SECTION:
_acme-challenge.api.staging.thesemetrics.dev. 1800 IN CNAME api.staging.thesemetrics.dev.dm9ejj.flydns.net.

;; Query time: 61 msec
;; SERVER: 2001:4e8:0:4008::12#53(2001:4e8:0:4008::12)
;; WHEN: Fri Jan 06 12:11:24 PST 2023
;; MSG SIZE  rcvd: 133

I don’t see any pre-certificate for api.staging.thesemetrics.dev at letsdebug-toolkit

I got a cert issues via the DNS verification route - so I think that’s a good work-around until the ipv6 routing works again

  1. Delete the A, AAAA, or CNAME DNS entries you created for the app
  2. Delete the pending certificate request
  3. Wait out the DNS TTL for the records you deleted
  4. fly certs remove <yourdomain
  5. fly certs create <yourdomain>
  6. fly certs show <yourdomain>
  7. there should be a _acme_challenge. listed (it might only be in the dashboard UI), create a CNAME record for that pointed to the flydns.net entry (see Custom Domains and SSL Certificates · Fly Docs)
  8. wait for the cert to be issued successfully
  9. re-create the A, AAAA, or CNAME records that point to your deployed app
  10. wait out the TTL on the SOA DNS reply (mine was 15 minutes)
  11. success!
2 Likes