Certificate issuance troubles for subdomain w/ Fly DNS

Questions / Help
1

Hey!,

I have a certificate which is currently marked as :green_circle: Verified in the https://fly.io/apps/<app>/certificates view, however, neither of the certificate types have been issued. (I’d left them for about 12 hours to no avail, and several follow-up attempts this morning have also failed).

I have been able to successfully add and verify a second-level domain. So this seems isolated to subdomains, but it might also be the fact that this is a subdomain of a subdomain that itself is DNS zoned to Fly’s DNS servers (created via flyctl domain add)

I recognize that these processes can have edge cases, so it’s worth throwing a couple of my potential gotchas:

  • DNS on Fly: As noted above, my TLD DNS is through Google Cloud DNS (through Google Domains), though I’ve delegated my NS for a particular subdomain to a Fly zone (that I created with flyctl domain add <subdomain>, so I can control the DNS through Fly directly.
  • Lot’o’Dots: I’ve got a few levels deep of subdomains going on at the moment. The subdomain that I’m delegating to Fly is already third.second.top and I’m requesting a certificate for a fifth.fourth.third.second.top domain. I seem to have eliminated just too-many-nested levels as a problem by using another domain that’s not on Fly DNS but equally as deep, so I don’t think this is it; just flagging this!
  • App vs Domain? The DNS records I’m creating per the validation instructions for a particular app are going into the subdomain’s zone. I don’t think they’re associated with a particular app (and I think that’s by design?; I don’t think Fly needs a direct domain attachment to an app, right?)

Screenshots, though I’m not sure how valuable they are — mostly noting that it shows “Verified”. In terms of the “Confirm domain ownership” step — I’m not sure if the yellow-dot is meant to indicate that the configuration isn’t detected or not, but a dig would seem to indicate that it’s matching, including the trailing ..

Image 2022-02-01 at 9.57.56 AM
Image 2022-02-01 at 9.57.56 AM1572×1252 75.7 KB

Image 2022-02-01 at 9.59.39 AM
Image 2022-02-01 at 9.59.39 AM1910×456 59.2 KB

Image 2022-02-01 at 10.00.05 AM
Image 2022-02-01 at 10.00.05 AM1226×90 32.2 KB

Just in case support is tempted to poke at the 1g2wo here, I’ve deleted and recreated so I’m onto a different domain now.

In all cases, I’ve validated that the _acme_challenge is resolving correctly. I’ve tried both creating CNAME records to the [fqdn].[5-char-rando-thing].flydns.net domain as well as an alternative approach to creating A / AAAA records from [fqdn]. that point directly to my apps IPs — also to no avail.

Of course, I could totally be doing something wrong.

Thoughts?