Custom domain SSL certificate not serving at edge despite showing as "Issued" - 8+ hours

Custom domain SSL certificate not serving at edge despite showing as “Issued” - 8+ hours

Description:

I’m experiencing a critical issue where my custom domain app.snapshot.so has a valid SSL certificate (shows as “Issued” in fly certs show) but the Fly.io edge proxy is not serving it, resulting in TLS handshake failures for 8+ hours.

App Details:

• App name: receiptx-api-staging

• Custom domain: app.snapshot.so

• Region: sin (Singapore)

• Machine ID: 568344ea407018

DNS Configuration:

CNAME app.snapshot.so → receiptx-api-staging.fly.dev (DNS only, no proxy)

CNAME _acme-challenge.app.snapshot.so → app.snapshot.so.9lnwpwx.flydns.net

Certificate Status:

bash

$ fly certs show app.snapshot.so -a receiptx-api-staging

Status = Issued

Hostname = app.snapshot.so

Certificate Authority = Let’s Encrypt

Issued = rsa,ecdsa

Added to App = 8 hours ago

Expires = 2 months from now

✓ Certificate is verified and active

Error Observed:

bash

$ curl -vvv https://app.snapshot.so/health

* Connected to app.snapshot.so (66.241.124.93) port 443

* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

What Works:

• Direct .fly.dev domain works perfectly:

  bash
  

  $ curl https://receiptx-api-staging.fly.dev/health
  

  {“status”:“ok”}

• Both domains resolve to the same IP: 66.241.124.93

• App is running and healthy

• Certificate validation completed successfully

What I’ve Tried:

1. Removed and re-added the certificate 3 times

2. Changed DNS from A record to CNAME

3. Added ACME challenge CNAME record (_acme-challenge.app)

4. Restarted the Fly.io machine multiple times

5. Waited 8+ hours for edge propagation

6. Verified DNS propagation globally

Root Cause Analysis: The certificate is valid and issued by Let’s Encrypt, but the edge proxy’s SNI routing table hasn’t synced the TLS binding for app.snapshot.so. The edge receives the connection but fails during TLS handshake, indicating the certificate isn’t being presented for this hostname despite showing as “Issued” in the control plane.

Impact:

• Custom domain completely unreachable via HTTPS

• Production application down for users

• OAuth callbacks failing

• Revenue loss (users cannot complete purchases)

Request: Please investigate the edge proxy configuration for this custom domain and force a refresh of the TLS certificate binding. This appears to be a platform-level issue with the edge routing layer not syncing with the control plane certificate status.

Additional Diagnostics:

bash

$ openssl s_client -connect app.snapshot.so:443 -servername app.snapshot.so

# Returns: Verify return code: 0 (ok) but connection fails before certificate exchange

Thank you for your urgent assistance.

Are you able to test this from another network, such as a mobile hotspot, to rule out anything there?

I haven’t been able to identify any issues for this hostname. Requests work successfully for me, and I verified they work through every sin edge fine.

An mtr from the location you’re seeing this to the IP would also be helpful, in case this is routing outside of Singapore.

Hi @Veera - in addition to what @bglw suggested, can you also share the output of

curl -v http://app.snapshot.so

Important: note it’s http, not https.

Also important: don’t ask curl to follow redirects (i.e. don’t use -L). What I want to see is precisely the http redirect-to-https response before it does the redirect.

Thanks!

Seems to be working now, I can access this endpoint via HTTPS.

Hey, thanks for checking.. I have run a workaround on cloduflare and made it whitelist on zscaler, with that change, it is currently accessible, thanks.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.