Under my application > Certificates > [subdomain.domain_name], I see two expired certificates but no way to renew them?
My DNS has been working just fine, but just noticed today that this particular sub-domain hasn’t had its certs auto-renewed. I do use Cloudflare and A/AAAA records to manage my DNS, if that matters (I get a bad handshake error when navigating to the sub-domain in question)
If you want the SSL certificate issued by Fly, it needs to verify your domain. However if your DNS record is orange-cloud (proxied by them), it can’t. Since it gets a Cloudflare IP back.
The simplest option is therefore to not use the Cloudflare proxy. Click the orange cloud in their UI and it should toggle to grey (non-proxied).
But of course you then lose Cloudflare’s benefits (bots, DDoS, geo-headers and whatever else your app may need). That’s the trade-off.
If you need to keep Cloudflare involved and so keep an orange-cloud DNS record, there are different options.
You could change to “flexible” mode:
Or install its origin certificate on your Fly app (also linked somewhere on that page)
Or add an extra grey-cloud acme TXT record to your DNS that Fly can use to verify your domain.
Thank you Greg! I’m looking to maintain Cloudflare’s security features
Regarding the acme TXT record solution, I’ve added the grey-cloud acme TXT record and I get a green check for ownership verification on the Fly side, but “Check again” doesn’t trigger recertification – are there other steps to that solution?
Yep, the acme TXT record should let Fly verify you own the domain and so allow the certificate to be issued. That should mean you can use Cloudflare orange-cloud still, while also keeping a secure connection from it to the origin (in this case, your Fly app).
It sounds like you are getting it verified, by the green tick. So it may be issued shortly. Not sure how long it takes to re-certify.
The other possible issue is I recall there being some complications with apex/root domains. Like if you use that approach for Cloudflare with example.com and not www.example.com It should work for sub-domains but I’m not sure about the apex one.
The let’s encrypt (which I assume they still use, behind the scenes) docs mention a TXT record but that screenshot shows CNAME … I guess go with whatever the Fly UI asks for though. After all, the green tick suggests its happy.
As for the time it’ll take, no idea but … I guess if your site is not working anyway … you don’t have much to lose by removing the cert from the flyctl cli … and then add it again. That should start the clock again, but this time you have the acme record already in place and so it would (possibly) work? Total guess.