Certificate issuance troubles for subdomain w/ Fly DNS


I have a certificate which is currently marked as :green_circle: Verified in the https://fly.io/apps/<app>/certificates view, however, neither of the certificate types have been issued. (I’d left them for about 12 hours to no avail, and several follow-up attempts this morning have also failed).

I have been able to successfully add and verify a second-level domain. So this seems isolated to subdomains, but it might also be the fact that this is a subdomain of a subdomain that itself is DNS zoned to Fly’s DNS servers (created via flyctl domain add)

I recognize that these processes can have edge cases, so it’s worth throwing a couple of my potential gotchas:

  • DNS on Fly: As noted above, my TLD DNS is through Google Cloud DNS (through Google Domains), though I’ve delegated my NS for a particular subdomain to a Fly zone (that I created with flyctl domain add <subdomain>, so I can control the DNS through Fly directly.
  • Lot’o’Dots: I’ve got a few levels deep of subdomains going on at the moment. The subdomain that I’m delegating to Fly is already third.second.top and I’m requesting a certificate for a fifth.fourth.third.second.top domain. I seem to have eliminated just too-many-nested levels as a problem by using another domain that’s not on Fly DNS but equally as deep, so I don’t think this is it; just flagging this!
  • App vs Domain? The DNS records I’m creating per the validation instructions for a particular app are going into the subdomain’s zone. I don’t think they’re associated with a particular app (and I think that’s by design?; I don’t think Fly needs a direct domain attachment to an app, right?)

Screenshots, though I’m not sure how valuable they are — mostly noting that it shows “Verified”. In terms of the “Confirm domain ownership” step — I’m not sure if the yellow-dot is meant to indicate that the configuration isn’t detected or not, but a dig would seem to indicate that it’s matching, including the trailing ..

Just in case support is tempted to poke at the 1g2wo here, I’ve deleted and recreated so I’m onto a different domain now.

In all cases, I’ve validated that the _acme_challenge is resolving correctly. I’ve tried both creating CNAME records to the [fqdn].[5-char-rando-thing].flydns.net domain as well as an alternative approach to creating A / AAAA records from [fqdn]. that point directly to my apps IPs — also to no avail.

Of course, I could totally be doing something wrong.