I’ve got a domain configurd for https://{domain} and https://www.{domain]. fly.io has generated certs for the www subdomain but i have red dots for both RSA and ECDSA for the root domain. It has been like this for months.
ANotWorking
Error
kpbj.fm has an A (IPv4) record (66.241.124.226) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://kpbj.fm/.well-known/acme-challenge/letsdebug-test": EOF
Trace:
@0ms: Making a request to http://kpbj.fm/.well-known/acme-challenge/letsdebug-test (using initial IP 66.241.124.226)
@0ms: Dialing 66.241.124.226
@2083ms: Experienced error: EOF
yes, I see you don’t have an AAAA record pointing your naked domain to your app IPv6. take a look at Custom domains · Fly Docs
and in particular:
Important: Hostname validation will fail without an IPv6 address—and we won’t attempt to issue or renew a certificate—unless you’re using a CNAME _acme-challenge for domain verification. However, we still recommend having both an IPv4 and an IPv6 address allocated if your app is serving traffic. If your app doesn’t have an IPv6 address, allocate one with flyctl ips allocate-v6.
When I checked earlier today there was only one CNAME record in your DNS and it was for www.kpbj.fm which in fact was working correctly. [*]
Sorry let me be more clear here. I’ve had A records for kpbj.fm and www.kpbj.fm. I also have CNAME records for the acme challenges. This hasn’t changed.
Today I added an IPV6 ip and a AAAA record but thats it.
Can you see anything wrong with my DNS setup currently? It looks correct to me afaict. Other then adding the AAAA record for IPV6 it is the same as it has been for a long time and I still cannot get a cert to generate (including hitting the recheck button in the UI and using the CLI cert check command).
It says it can take up to 24hours for it to propagate but from my experience, it takes only a few minutes. You also want A/AAAA + acme for certbot to autorenew. CNAME won’t autorenew.
I have an A record for www. Why do I need a CNAME for it?
EDIT: sorry I realize i was confused when I had originally said i was using OPTION 1 Set a CNAME Record. In any case I currently have A and AAAA records as required for OPTION 2 but its still stuck awaiting cert generation.
If you’re using Cloudflare, you have to leave it as DNS only (gray cloud) until the certs are resolved. I’m not sure if that’s relevant to w/e DNS provider you’re using.
This is how I setup everything in the first place. I already have the A/AAAA records in cloudflare which are set to DNS Only and the certs created in fly.io which are red.