Certificates creation takes longer

On a single application, I have 3 different wildcard domain

*.😀.com
*.😃.com
*.😄.com

the DNS are managed by cloudflare, the first domain certs creation was fast, but for the second and third domain, It takes longer

what I already did:

  1. Enable/Disable CF DNS Proxy (the orange cloud icon)
  2. Pause / Enable Cloudflare
  3. Changing from A&AAAA to using CNAME (and vice versa)
  4. Make sure that I follow the exact guide like I did for the first domain

but the certs still not being created, am I do something wrong?

thanks in advance

image

I try to add another domain (non cloudflare, the DNS are still namecheap default), It’s just works, like, less than 1 minute.

image

Strange it is inconsistent. I’ve read before it may take a little longer for wildcard domains because of the DNS verification. Make sure you have the acme challenge record Fly provides, and that must be grey-cloud (non-proxied) in Cloudflare. Turning off Cloudflare’s proxy generally makes things a lot simpler when it comes to DNS checks as with that on, it returns Cloudflare’s IPs instead.

e.g this thread from someone else about setting up a wildcard domain which sounds similar:

I would guess if you are toggling Cloudflare settings that may cause a delay as the DNS would have to be re-checked at some interval (not sure how often). So I’d recommend adding the record with a grey-cloud then request the certificate. So when it’s checked, it won’t return a Cloudflare IP.

1 Like

So, I changed one of the domain NS (from Cloudflare) back to Namecheap, and It’s just works!?

I still don’t really know which of them are going wrong

and now It’s leave a single Cloudflare-managed domain

image

Cloudflare DNS:

image

Cloudflare SSL:

Let’s just see

Interesting. Perhaps that NS change triggers a re-check :thinking:. And Namecheap doesn’t have a Cloudflare-style proxy (as I recall when I used them last). It’s just a DNS record. So there would be no issue with returning the wrong IP. And so the validation then passes.

If you don’t need Cloudflare’s proxy stuff for other reasons (geo headers, firewall rules etc) I’ve found it makes life simpler to just remove them from the equation. As you’ve found.

1 Like

Yeah, I need Cloudflare for doing a lot of thing, like L7 DDoS protection, WAF, captcha, caching, Waitlist Room, and more…

Tomorrow, I will change the NS back to Cloudflare, and I’m sure fly will able to process the request because the cert has been issued (which also work without the cert, but this was strange issue)

1 Like