cert not being issued after 12h

We updated the statuspage here: Fly.io Status - Routing issues for newly allocated IPv6 addresses

If you’re currently having cert errors, this is the most likely reason.

The workaround from @timothypage worked for me as well.

Workaround worked for me too. Thanks.

A fix has been rolled out. Sorry about all of that, there are more rough edges with shared IPs than we initially thought.


IPv6 routing appears to still be an issue. I had to remove the AAAA DNS records for my domain to get certificates issued.

We actually won’t issue a cert at all unless there is an AAAA record. Can you give us some more details on the sequence here?

I am not 100% sure of the steps since I did not expect to run into issues :slight_smile:

I think the order of events was:

  1. I created the AAAA DNS record for the IPv6 address
  2. Days later, I tried to have a certificate issued
  3. The UI showed that verification was successful but no certs had been issued. The CLI noted that Your certificate for <domain> is being issued. Status is Awaiting certificates.
  4. Nothing changed for hours
  5. I added the CNAME for _acme-challenge and tried deleting and recreating the certificate
  6. It got stuck in the same way (for over 12+ hours)
  7. I deleted the AAAA record
  8. I deleted and recreated the certificate a few more times (I waited ~15 mins in-between)
  9. Eventually (~an hour later) the certificate was issued

Currently my domain does not have an AAAA record. Weirdly, the UI still shows that Fly thinks that I do have an AAAA record (I tried hitting Check again and nothing changes).

This one worked out for me. :hugs:

Currently experiencing this same issue. Tried different stuffs, Nothing seems to be working :disappointed:

Same issue, been waiting for nearly an hour on 2 projects that use totally different top level domains of mine.

I’m experiencing this issue as well.

Hey @justindotpub

You have a CAA record on your domain which doesn’t list letsencrypt.org. When CAA record is present, it needs to include letsencrypt.org, otherwise it won’t be able to issue a certificate.

1 Like

@pavel ah, fabulous. Thank you for pointing that out! For reference in case anyone else runs into this issue, I added the following to my existing CAA record.

0 issuewild "letsencrypt.org"
0 issue "letsencrypt.org"

Then I deleted and readded the certs, and they provisioned in less than 30 s each.

1 Like