hey there-- you might have already noticed this, but we’re currently investigating issues with our private DNS servers. If you’re using a DNS-01 challenge (and it sounds like you are), then this is most likely what’s holding you up.
You also can follow our progress on our status page as we work to get everything back in order as soon as we can.
Just to jump in, this may be related to the DNS issue but if you say it was happening prior to that, that may equally be a coincidence.
You mention “the root one”. Do you mean the apex domain? If so, I recall a mention you needed both A and AAAA records to validate that. I’m not sure if that’s still the case but could be worth a try. Can’t hurt. From Fly:
Yup, it’s definitely still the case that you need a A and AAAA record to get a cert for your apex domain by itself. For root domains. we use TLS-ALPN-01. A wildcard cert for an apex domain would use a DNS-01 challenge, though.
Yep, again one for Fly to investigate. Likely be tomorrow now.
I suspect re-enabling the Cloudflare proxy would cause any subsequent re-validation to fail. In X weeks/months, whenever it checks again. Since then it would return a Cloudflare IP. Not a Fly one. Now I would think the grey-cloud/non-proxied acme challenge would be sufficient to validate the www record (and so let you orange-cloud/proxy the actual www record). But I don’t think the acme challenge would be sufficient for the apex record. I’ve seen multiple posts where the apex has to be A/AAAA IP … and so you would then run into that problem of it returning the proxy’s A/AAAA IP.
I was digging through Cloudflare to see if there are any more things I can disable that might be interfering here. Found a button that says “Disable Cloudflare on site”, which disabled all Cloudflare features and just continues to resolve the DNS records.
Removed and re-created the certificate, but not having any luck sadly. I’m guessing disabling all of Cloudflare other than DNS does eliminate Cloudflare as the issue here (if I understand that feature correctly), so maybe it is indeed an issue within Fly.
So I tried this out for myself with an identical record config with Cloudflare on a test domain, which succeeded. Digging into things on our end, it looks like the _acme-challenge record (the acme CNAME for the apex domain) might be getting in your way, though. Would you try removing it, to see if that helps?
It shouldn’t be necessary to re-add the CNAME for the _acme-challenge records unless you need DNS-01 verification (which is why the record is pointed to the nameservers we use for that).
You’d need DNS-01 verification if you were trying to create a wildcard certificate.
Hopefully removing the acme-challenge records will sort things out!
Sorry to hijack the thread but since we’re both dealing with Cloudflare I hope you don’t mind @manavo - just wanted to recap on the proxying through CF aspect - it sounds like to be able to use the benefits of CloudFlare not worry about the expiry of the certificates we’d need to just use a CNAME for the apex domain pointing to the .fly.dev URL? Which adds an extra network hop but keeps the benefits?
And this wouldn’t be possible if we wanted to use a wildcard domain at all? (keeping the benefits of CF proxy and not worry about cert renewal)
@manavo, it looks like both zigzagger and www.zigzagger.io are now serving certs, so hopefully this means that our certs came through!
@tomasztomczyk: Yup, if you needed a wildcard domain, you’d need a DNS-01 challenge. Let’s Encrypt (our CA) won’t issue them otherwise.
Keeping Cloudflare’s proxied records on will prevent our TLS-ALPN-01 challenge from being completed successfully. which is what you’d be using without an _acme-challenge record. I’m not completely sure why these records seemed to be causing issues for your cases-- when I tried setting up records identical to yours (but with a different domain), it succeeded within a couple of minutes.
If you need Cloudflare proxying, It’s definitely worth a shot to try re-adding these records at some point, perhaps creating them with a TTL of 2-3 min and waiting to make sure they’ve updated globally with a tool like dnschecker.org or similar.
I’m having the exact same issue. Moving a domain (tiffr.com, both apex and wildcard) that has DNS records with Cloudflare to point at Fly. All Cloudflare proxying is currently turned off. Domain is verified, but cert is not issued. Removed and re-added the certificate request once to see if that would kickstart it, but hasn’t helped. Any advice?
Also, as a follow up question: will there be the option to force using the DNS-01 challenge, even for non-wildcard domains (or is this already the case)? That would be helpful for avoiding the need to turn off proxying of DNS records other than the _acme-challenge CNAME at Cloudflare for renewals.