I have a certificate which is currently marked as Verified in the
https://fly.io/apps/<app>/certificates view, however, neither of the certificate types have been issued. (I’d left them for about 12 hours to no avail, and several follow-up attempts this morning have also failed).
I have been able to successfully add and verify a second-level domain. So this seems isolated to subdomains, but it might also be the fact that this is a subdomain of a subdomain that itself is DNS zoned to Fly’s DNS servers (created via
flyctl domain add)
I recognize that these processes can have edge cases, so it’s worth throwing a couple of my potential gotchas:
DNS on Fly: As noted above, my TLD DNS is through Google Cloud DNS (through Google Domains), though I’ve delegated my
NSfor a particular subdomain to a Fly zone (that I created with
flyctl domain add <subdomain>, so I can control the DNS through Fly directly.
Lot’o’Dots: I’ve got a few levels deep of subdomains going on at the moment. The subdomain that I’m delegating to Fly is already
third.second.topand I’m requesting a certificate for a
fifth.fourth.third.second.topdomain. I seem to have eliminated just too-many-nested levels as a problem by using another domain that’s not on Fly DNS but equally as deep, so I don’t think this is it; just flagging this!
- App vs Domain? The DNS records I’m creating per the validation instructions for a particular app are going into the subdomain’s zone. I don’t think they’re associated with a particular app (and I think that’s by design?; I don’t think Fly needs a direct domain attachment to an app, right?)
Screenshots, though I’m not sure how valuable they are — mostly noting that it shows “Verified”. In terms of the “Confirm domain ownership” step — I’m not sure if the yellow-dot is meant to indicate that the configuration isn’t detected or not, but a
dig would seem to indicate that it’s matching, including the trailing
Just in case support is tempted to poke at the
1g2wohere, I’ve deleted and recreated so I’m onto a different domain now.
In all cases, I’ve validated that the
_acme_challenge is resolving correctly. I’ve tried both creating
CNAME records to the
[fqdn].[5-char-rando-thing].flydns.net domain as well as an alternative approach to creating
AAAA records from
[fqdn]. that point directly to my apps IPs — also to no avail.
Of course, I could totally be doing something wrong.