Creating a CNAME vs A record for a custom hostname

Hello,

When I’ve previously made an app, I’ve used a custom hostname by creating an A record to the returned IPv4 address. And then requested an SSL certificate, via flyctl certs add hostname

But when I’ve tried that just now, it now wants a CNAME record, to the name.fly.dev

You can configure your DNS for … by:
1: Adding an CNAME record to your DNS service which reads …

Is that the new approach for all apps?

I assume behind the scenes the name.fly.dev uses the same IP, so wondered what the benefits are or if that had indeed changed.

CNAME or A record provide the same result.

However, if you allocate or deallocate IPs on your app, you’ll have to manually update your A and/or AAAA records.

If you can use them, CNAMEs are better in that respect. Some DNS providers don’t allow “apex” or “root” hostname CNAMEs. Therefore, sometimes, A or AAAA records are the only options for your hostname.

Ok. But like I say, when I try and make a cert, it ignores the fact I have set up the DNS already using an A record. It says I need to make a CNAME.

The status of the cert is ‘Awaiting configuration’. So I assume that is what it is waiting for.

Suggesting you have to use a CNAME, as to use https, which everyone will/should, you need a CNAME for it to move to the next stage?

@greg You need an AAAA record as well, or it won’t validate. We’ve simplified the instructions to only explain the CNAME option when it’s available, but manually setting A/AAAA records works fine!

Ah … That explains it then. I only have an A record. Which must have been sufficient in the past since I’ve not created an AAAA before for any fly app yet still been issued a cert. But now it needs that too.

Well I might as well try a CNAME then. I’ve no preference, just wondered why what used to work didn’t. No problem.

Huh that’s interesting. These apps have always required an AAAA record. Is there a chance you setup an _acme-challenge.<hostname> record before? You can also validate with a DNS record like that. If you did that, the A record will work.

This is like a choose your own adventure video game.

Ha! True.

Well I have a page of DNS records, all kinds of subdomains and things. And yes - I did have an acme-challenge CNAME there. Ah ha.

Still no AAAA record, and with that acme-challenge DNS record, the A record alone did not work. Since that was present before, as I did not touch it. And I added the A record. And no AAAA record. And it did not work.

Well … it may have worked, given time. Like I say, it said to create a CNAME. I didn’t. And it was on ‘Awaiting configuration’.

After maybe 10 minutes, after this discussion, I deleted the A record and went for a CNAME instead. And that seemed to please it immediately, and it worked. Haven’t tried it, but the table says the cert was issued.

So it doesn’t really matter about the AAAA stuff as it turns out as I’ve bypassed it and used a CNAME

Ah yeah, the CNAME basically just says “go look at this DNS server for A/AAAA records”.

That _acme-challenge is per hostname, so you would need to make one each time if you were using that.