I’ve set up a series of certificates for an app. While they have been working, they are not auto-renewing, and I can see that they have never been verified.
For the domains that use A/AAAA records, I notice that I have been given an IPv4 address to use with the A record, but no IPv6 record for the AAAA record. I just used the CLI to remove and re-add the certificates, and I get messages like:
I was able to verify the domains using domain ownership verification, even though that says it “is only needed if you want to generate the certificate before directing traffic to your application”.
IDK… maybe I just need to see what happens in another 3 months
Are these two different apps (app. vs apex domain)?
If so, you can use your IPv6 for your AAAA record.
If you want to pay $2 a month, you can get a static IPv4 and add that to your A record.
Then you would not need to use a CNAME.
That is what I did and it worked well. Though the certs can take some time, as it’s a free service (LetsEncrypt), and it can have rate limiting and minor delays. Sometimes a few hours for the certs to show. IDK why.
Either way, you can do this for both apps separately, if they are different apps.
I can see in our backend the certificate provisioning error is “An IPv6 address pointed at us is required.”
Looks like your app only has an IPv4 address allocated rather than IPv6 (which you did notice). I’m not sure why that happened, but you can allocate a free IPv6 address with fly ips allocate-v6, and that should fix auto-renewal.