Certificate Verification when Proxied through Cloudflare

Hello Fly team,

Our company has made a bufferbloat test tool, and we are using your services for latency testing. Our setup is as follows:

We have a node app running at: https://waveform-sjc-speed-0.fly.dev/

This is a very simple API for downloading 0-filled files at various sizes. The api is as follows


This will download a 1000 byte text file filled with 0’s.

We have set up a proxied CNAME record on cloudflare that points to the fly node:

We’re pointing speedtest-cX.waveform.com to this, where X goes from 0 to 5.

And to use https , we’ve set up certificates like so:

We also have a cron job renewing these certificates once every two months.

Our problem is that once the certificates renew, the cloudflare proxy keeps serving the old SSL certificate, and once the old certificate expires, the new certificates keep staying in the “Not Verified” state.

The way we get the new certificates to be verified is to turn off the proxy status on cloudflare, and keep hitting the speedtest-cx domains until it stops showing SSL handshake errors. Then turning on the proxy again on cloudflare.

Our goal is to have this certificate renewal be fully automated. What can we do here to fix this? We suspect that the problem could be with the way fly.io verifies certificates.


Maybe use an origin cert from CF instead?

See this mini tutorial I wrote:

1 Like

Hi @arshankhanifar! Besides the excellent guide and the Cloudflare certs approach posted above, the other option might be to switch to DNS verification — this way the CA won’t have to actually hit the HTTP TLS endpoint to check ownership, so you won’t have Cloudflare trying to answer the verification challenge (which will fail the challenge, that’s why it doesn’t work right now unless you turn off proxying). See this discussion here as well: Can I use CloudFlare proxying with Fly certificates ?


Thank you for the great replies! I’ll look into them.

@sudhir.j Trying the Acme DNS verification. Interestingly, even though I’ve added the ACME verification, the indicator is still orange, but the “direct visitors to application” has turned green instead, even though it’s still proxied behind Cloudflare. Is that normal?