Certificate generation is working for www subdomain but not the root domain

I’ve got a domain configurd for https://{domain} and https://www.{domain]. fly.io has generated certs for the www subdomain but i have red dots for both RSA and ECDSA for the root domain. It has been like this for months.

letsdebug.net is reporting:

ANotWorking
Error
kpbj.fm has an A (IPv4) record (66.241.124.226) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://kpbj.fm/.well-known/acme-challenge/letsdebug-test": EOF

Trace:
@0ms: Making a request to http://kpbj.fm/.well-known/acme-challenge/letsdebug-test (using initial IP 66.241.124.226)
@0ms: Dialing 66.241.124.226
@2083ms: Experienced error: EOF

silly question but… did you generate the cert for the naked domain?

You mean via the fly.io certificates menu right?

yes, I see you don’t have an AAAA record pointing your naked domain to your app IPv6. take a look at Custom domains · Fly Docs

and in particular:

Important: Hostname validation will fail without an IPv6 address—and we won’t attempt to issue or renew a certificate—unless you’re using a CNAME _acme-challenge for domain verification. However, we still recommend having both an IPv4 and an IPv6 address allocated if your app is serving traffic. If your app doesn’t have an IPv6 address, allocate one with flyctl ips allocate-v6.

I’m using option 1 from that page Option I: Set a CNAME record.

Just to be safe I allocated a IPV6 address and added a AAAA record. I still don’t have a cert issued.

When I checked earlier today there was only one CNAME record in your DNS and it was for www.kpbj.fm which in fact was working correctly. [*]

There was only an A record for the root domain but no AAAA which is required.

Now that you’ve created (and deleted the CNAME for www?) it’s not like Let’s Encrypt is there checking your DNS every minute of every hour forever :slight_smile:

You can try and trigger the cert flow again with fly certs check kpbj.fm

(and even delete the old cert and create a new one should everything else fail).

[*] in general DNS managers don’t allow you to create CNAME records for root domains and those few who do… shouldn’t.

When I checked earlier today there was only one CNAME record in your DNS and it was for www.kpbj.fm which in fact was working correctly. [*]

Sorry let me be more clear here. I’ve had A records for kpbj.fm and www.kpbj.fm. I also have CNAME records for the acme challenges. This hasn’t changed.

Today I added an IPV6 ip and a AAAA record but thats it.

Can you see anything wrong with my DNS setup currently? It looks correct to me afaict. Other then adding the AAAA record for IPV6 it is the same as it has been for a long time and I still cannot get a cert to generate (including hitting the recheck button in the UI and using the CLI cert check command).

It says it can take up to 24hours for it to propagate but from my experience, it takes only a few minutes. You also want A/AAAA + acme for certbot to autorenew. CNAME won’t autorenew.

Neither of these actions is fixing the cert generation.

every DNS check I do, using different tools, reports no CNAME for www, e.g.

I have an A record for www. Why do I need a CNAME for it?

EDIT: sorry I realize i was confused when I had originally said i was using OPTION 1 Set a CNAME Record. In any case I currently have A and AAAA records as required for OPTION 2 but its still stuck awaiting cert generation.

If you’re using Cloudflare, you have to leave it as DNS only (gray cloud) until the certs are resolved. I’m not sure if that’s relevant to w/e DNS provider you’re using.

I’m using CloudFlare and everything is set to DNS Only.

Delete your certs on Fly and recreate them:
fly certs add kpbj.fm -a app-name

Then create DNS records on Cloudflare:

  1. DNS > Records
  2. Click Add record
  3. Add A Record
  4. IMPORTANT: Uncheck the toggle button so it’s gray (not orange), ie DNS only
  5. Click Save
  6. Wait until Cloudflare validates the certificate
  7. Go to Fly’s Certificate and wait til RSA and ECDSA are green
  8. Go back to Cloudflare and edit the record to allow for proxy (orange toggle)

Repeat for AAAA record and add the acme for cert renewal (make sure acme record is gray cloud too)

This is how I setup everything in the first place. I already have the A/AAAA records in cloudflare which are set to DNS Only and the certs created in fly.io which are red.

Then there must be something up recently. I have 10+ records and they’re all working when I created them a few months ago.

I’ve recreated this cert many times at this point, i just tried again. This has been an ongoing problem with this domain for months.

I think there is something broken on the backend of fly.io. Do company reps check forum posts here?

Can you create a min repro of a fly app. I’ll try to deploy it and see if I get the same problem w/ certs.

What would I be reproducing? The application code has nothing to do with this issue (the www domain works fine).

Not entirely sure, but something to go on is better than nothing.