We also have a cron job renewing these certificates once every two months.
Our problem is that once the certificates renew, the cloudflare proxy keeps serving the old SSL certificate, and once the old certificate expires, the new certificates keep staying in the “Not Verified” state.
The way we get the new certificates to be verified is to turn off the proxy status on cloudflare, and keep hitting the speedtest-cx domains until it stops showing SSL handshake errors. Then turning on the proxy again on cloudflare.
Our goal is to have this certificate renewal be fully automated. What can we do here to fix this? We suspect that the problem could be with the way fly.io verifies certificates.
Hi @arshankhanifar! Besides the excellent guide and the Cloudflare certs approach posted above, the other option might be to switch to DNS verification — this way the CA won’t have to actually hit the HTTP TLS endpoint to check ownership, so you won’t have Cloudflare trying to answer the verification challenge (which will fail the challenge, that’s why it doesn’t work right now unless you turn off proxying). See this discussion here as well: Can I use CloudFlare proxying with Fly certificates ?
@sudhir.j Trying the Acme DNS verification. Interestingly, even though I’ve added the ACME verification, the indicator is still orange, but the “direct visitors to application” has turned green instead, even though it’s still proxied behind Cloudflare. Is that normal?
