Custom domain's certificate is stuck on "Awaiting configuration"

Hi, I’m building an authoritative dns server for my domain on Fly but I can’t generate certs for the apex domain even though the A and AAAA records for the apex domain and the CNAME record for _acme-challenge. are set.

For context, the dns server is a clone of local-ip.co. It allows someone to hit http://127-0-0-1.local-ip.sh and get directed to whatever is running on 127.0.0.1. It becomes useful once I can get HTTPS working for *.local-ip.sh but that’s not my concern yet.

Right now I want to host a page on https://local-ip.sh but for some obscure reason, my certificate haven’t been issued yet.

$ fly certs show local-ip.sh
The certificate for local-ip.sh has not been issued yet.

Hostname                  = local-ip.sh

DNS Provider              = nic

Certificate Authority     = Let's Encrypt

Issued                    =

Added to App              = 42 minutes ago

Source                    = fly

You are creating a certificate for local-ip.sh
We are using lets_encrypt for this certificate.

You can direct traffic to local-ip.sh by:

1: Adding an A record to your DNS service which reads

    A @ 213.188.218.137

You can validate your ownership of local-ip.sh by:

2: Adding an AAAA record to your DNS service which reads:

    AAAA @ 2a09:8280:1::9165
$ dig local-ip.sh a +short
213.188.218.137

$ dig local-ip.sh aaaa +short
2a09:8280:1::9165

$ dig _acme-challenge.local-ip.sh cname +short
local-ip.sh.n2kl11.flydns.net.

The dns server’s code is available here: GitHub - m5r/local-ip.sh: DNS service for local IP addresses (with HTTPS support coming soon)

Edit: I’ve found this post of someone running into the same certificate issue using self-hosted authoritative dns server for their domain, might be relevant

Edit 2: Another maybe-relevant item, I’m running this Node.js app on Fly and the following code throws an ESERVFAIL error:

import { resolve4 } from "dns/promises";

const resolvedIPs = await resolve4("192-168-1-29.local-ip.sh"); // this throws ESERVFAIL

Running dig also fails:

$ dig local-ip.sh +trace
; <<>> DiG 9.16.33-Debian <<>> local-ip.sh +trace
;; global options: +cmd
.                       516298  IN      NS      e.root-servers.net.
.                       516298  IN      NS      h.root-servers.net.
.                       516298  IN      NS      l.root-servers.net.
.                       516298  IN      NS      i.root-servers.net.
.                       516298  IN      NS      a.root-servers.net.
.                       516298  IN      NS      d.root-servers.net.
.                       516298  IN      NS      c.root-servers.net.
.                       516298  IN      NS      b.root-servers.net.
.                       516298  IN      NS      j.root-servers.net.
.                       516298  IN      NS      k.root-servers.net.
.                       516298  IN      NS      g.root-servers.net.
.                       516298  IN      NS      m.root-servers.net.
.                       516298  IN      NS      f.root-servers.net.
.                       516298  IN      RRSIG   NS 8 0 518400 20221112170000 20221030160000 18733 . PleNHyMwfRtZt2c8rzXxndFj+LoAyxzxqqga/LUmgcTMx33XcrkUGS2V i1BK/DNiadqHI7EAV0yPslCqA/K7jh/vuoDhau5pJLnHST9eZU2gKBjK pnG1dt9v96kSL1rqa7/wgBdgeCXILNgyrTh299kmK3N8nj6R+zOrPtNC UlpzsIhHSCk/ZRGsEMe2uGZ2qIEwr69sk8BmJ8xzWezSl8nuRn/xZY+j eMSXyt7H6EfR4eBzSbxTEq5/I46gtCKeR4D0i2QiP0fL/wxYM3J0xo4B 23bFXqOINql9nc6kNba8vA5AZVeL3qzEjYdGE/yOCpYqwC4Pc/sdbywh DGZ0QQ==
;; Received 525 bytes from fdaa::3#53(fdaa::3) in 0 ms

sh.                     172800  IN      NS      a0.nic.sh.
sh.                     172800  IN      NS      b0.nic.sh.
sh.                     172800  IN      NS      c0.nic.sh.
sh.                     172800  IN      NS      a2.nic.sh.
sh.                     86400   IN      DS      55297 8 2 BA339AD6E081DAD292A3F473CBDD5ADC53A0222769A7C6125F506DD6 A813787F
sh.                     86400   IN      RRSIG   DS 8 1 86400 20221112170000 20221030160000 18733 . TpRC3vCXM+Grqeq433EqxzdM4nOBRsDBQyXgFeGA0AvwIKI2AvZbq+9w 7fR8hZN9inKDknPSrorwRmIs6N7wzJF2Xcinubv9/VIydPl+7esbEcfi 4yhA+jpb+R3zWPElP/uFgpGqPkm900wKoXEAo9PkUhFN+BgwjwSrvd2+ 3qc3hRKD9HBTYktQhNw0zregs+iUpdDoCNNWL1YbD84Wy0VnYgkqJwKM YDypmLH9+8IpGqOVMZMLN22X/TNFtnq9EfzwxN/2wsMvdEKLj697pw+s TNkMAP8dJ8G1gUrao7fUeFJ93wSpZjkwObUvvt15LnycSWIXBs7MNc6j aadYaw==
;; Received 623 bytes from 192.58.128.30#53(j.root-servers.net) in 4 ms

local-ip.sh.            3600    IN      NS      ns2.local-ip.sh.
local-ip.sh.            3600    IN      NS      ns1.local-ip.sh.
mci9ncnblgquoevrhl6iu1oet1rqmea4.sh. 3600 IN NSEC3 1 1 10 332539EE7F95C32A MCM97ECBOBN240E95GDE0TTL8EP5O0SF NS SOA RRSIG DNSKEY NSEC3PARAM
mci9ncnblgquoevrhl6iu1oet1rqmea4.sh. 3600 IN RRSIG NSEC3 8 2 3600 20221120222309 20221030212309 47916 sh. mXNVj5/CToswlpEGq07XOleJ44Gt2FgQ2qRSF9lL5EP8VQBZbEuKaWkE 6fV1ePXPP7algN49BbUv10/v13ODX2kihcdEqBqP3qNkAHAVTgrF7B4X N4/c55IvRpWuJTywKLDJ3ETQocPsvqW/ZhDxziLw2iSIZ9IlnMrCAMZt ZbQ=
n56jk7cb7o0k66krbdaiqs8595l3cc3t.sh. 3600 IN NSEC3 1 1 10 332539EE7F95C32A N8AD6L0KDBU315BUF71G0S81KV5J74LK NS DS RRSIG
n56jk7cb7o0k66krbdaiqs8595l3cc3t.sh. 3600 IN RRSIG NSEC3 8 2 3600 20221115155801 20221025145801 47916 sh. OAAWvClbPTIbv7RKAxPp1AlLypcY7uW4pFDB/fGO9AjmrRfErQBePcff q0olbxobWxOAHWShL4uNOZFRetTNNBxxLqnGkptu2oux86ZGPBCdpYyF h10c670YUGRM5LIOgZv9aScpi0taS+g1/Mvpc9x4drJ32t9abrNtItQa UQQ=
couldn't get address for 'ns2.local-ip.sh': failure
couldn't get address for 'ns1.local-ip.sh': failure
dig: couldn't get address for 'ns2.local-ip.sh': no more

Not sure what’s happening exactly but I have a feeling this has something to do with my certs problem