Certificate expired, no way to renew?

Under my application > Certificates > [subdomain.domain_name], I see two expired certificates but no way to renew them?

My DNS has been working just fine, but just noticed today that this particular sub-domain hasn’t had its certs auto-renewed. I do use Cloudflare and A/AAAA records to manage my DNS, if that matters (I get a bad handshake error when navigating to the sub-domain in question)


Ah, this is a known issue when using Cloudflare.

If you want the SSL certificate issued by Fly, it needs to verify your domain. However if your DNS record is orange-cloud (proxied by them), it can’t. Since it gets a Cloudflare IP back.

The simplest option is therefore to not use the Cloudflare proxy. Click the orange cloud in their UI and it should toggle to grey (non-proxied).

But of course you then lose Cloudflare’s benefits (bots, DDoS, geo-headers and whatever else your app may need). That’s the trade-off.

If you need to keep Cloudflare involved and so keep an orange-cloud DNS record, there are different options.

You could change to “flexible” mode:

Or install its origin certificate on your Fly app (also linked somewhere on that page)

Or add an extra grey-cloud acme TXT record to your DNS that Fly can use to verify your domain.


1 Like

Thank you Greg! I’m looking to maintain Cloudflare’s security features

Regarding the acme TXT record solution, I’ve added the grey-cloud acme TXT record and I get a green check for ownership verification on the Fly side, but “Check again” doesn’t trigger recertification – are there other steps to that solution?

1 Like

@n-olz No problem.

Yep, the acme TXT record should let Fly verify you own the domain and so allow the certificate to be issued. That should mean you can use Cloudflare orange-cloud still, while also keeping a secure connection from it to the origin (in this case, your Fly app).

It sounds like you are getting it verified, by the green tick. So it may be issued shortly. Not sure how long it takes to re-certify.

The other possible issue is I recall there being some complications with apex/root domains. Like if you use that approach for Cloudflare with example.com and not www.example.com :thinking: It should work for sub-domains but I’m not sure about the apex one.

1 Like

Sounds good, I’ll give it some time and report back

The verification record sub-card has the green confirmed check but the parent verification card still shows a warning dot rather than green:


Two other thoughts:

The let’s encrypt (which I assume they still use, behind the scenes) docs mention a TXT record but that screenshot shows CNAME … :thinking: I guess go with whatever the Fly UI asks for though. After all, the green tick suggests its happy.

As for the time it’ll take, no idea but … I guess if your site is not working anyway … you don’t have much to lose by removing the cert from the flyctl cli … and then add it again. That should start the clock again, but this time you have the acme record already in place and so it would (possibly) work? Total guess.

1 Like

Thanks Greg, just removed and re-added the cert via the CLI

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.