Custom domain's certificate is stuck on "Awaiting configuration"

Questions / Help
1

Hi, I’m building an authoritative dns server for my domain on Fly but I can’t generate certs for the apex domain even though the A and AAAA records for the apex domain and the CNAME record for _acme-challenge. are set.

For context, the dns server is a clone of local-ip.co. It allows someone to hit http://127-0-0-1.local-ip.sh and get directed to whatever is running on 127.0.0.1. It becomes useful once I can get HTTPS working for *.local-ip.sh but that’s not my concern yet.

Right now I want to host a page on https://local-ip.sh but for some obscure reason, my certificate haven’t been issued yet.

$ fly certs show local-ip.sh
The certificate for local-ip.sh has not been issued yet.

Hostname                  = local-ip.sh

DNS Provider              = nic

Certificate Authority     = Let's Encrypt

Issued                    =

Added to App              = 42 minutes ago

Source                    = fly

You are creating a certificate for local-ip.sh
We are using lets_encrypt for this certificate.

You can direct traffic to local-ip.sh by:

1: Adding an A record to your DNS service which reads

    A @ 213.188.218.137

You can validate your ownership of local-ip.sh by:

2: Adding an AAAA record to your DNS service which reads:

    AAAA @ 2a09:8280:1::9165

$ dig local-ip.sh a +short
213.188.218.137

$ dig local-ip.sh aaaa +short
2a09:8280:1::9165

$ dig _acme-challenge.local-ip.sh cname +short
local-ip.sh.n2kl11.flydns.net.

The dns server’s code is available here: GitHub - m5r/local-ip.sh: DNS service for local IP addresses (with HTTPS support coming soon)

Edit: I’ve found this post of someone running into the same certificate issue using self-hosted authoritative dns server for their domain, might be relevant

Edit 2: Another maybe-relevant item, I’m running this Node.js app on Fly and the following code throws an ESERVFAIL error:

import { resolve4 } from "dns/promises";

const resolvedIPs = await resolve4("192-168-1-29.local-ip.sh"); // this throws ESERVFAIL

Running dig also fails:

$ dig local-ip.sh +trace
; <<>> DiG 9.16.33-Debian <<>> local-ip.sh +trace
;; global options: +cmd
.                       516298  IN      NS      e.root-servers.net.
.                       516298  IN      NS      h.root-servers.net.
.                       516298  IN      NS      l.root-servers.net.
.                       516298  IN      NS      i.root-servers.net.
.                       516298  IN      NS      a.root-servers.net.
.                       516298  IN      NS      d.root-servers.net.
.                       516298  IN      NS      c.root-servers.net.
.                       516298  IN      NS      b.root-servers.net.
.                       516298  IN      NS      j.root-servers.net.
.                       516298  IN      NS      k.root-servers.net.
.                       516298  IN      NS      g.root-servers.net.
.                       516298  IN      NS      m.root-servers.net.
.                       516298  IN      NS      f.root-servers.net.
.                       516298  IN      RRSIG   NS 8 0 518400 20221112170000 20221030160000 18733 . PleNHyMwfRtZt2c8rzXxndFj+LoAyxzxqqga/LUmgcTMx33XcrkUGS2V i1BK/DNiadqHI7EAV0yPslCqA/K7jh/vuoDhau5pJLnHST9eZU2gKBjK pnG1dt9v96kSL1rqa7/wgBdgeCXILNgyrTh299kmK3N8nj6R+zOrPtNC UlpzsIhHSCk/ZRGsEMe2uGZ2qIEwr69sk8BmJ8xzWezSl8nuRn/xZY+j eMSXyt7H6EfR4eBzSbxTEq5/I46gtCKeR4D0i2QiP0fL/wxYM3J0xo4B 23bFXqOINql9nc6kNba8vA5AZVeL3qzEjYdGE/yOCpYqwC4Pc/sdbywh DGZ0QQ==
;; Received 525 bytes from fdaa::3#53(fdaa::3) in 0 ms

sh.                     172800  IN      NS      a0.nic.sh.
sh.                     172800  IN      NS      b0.nic.sh.
sh.                     172800  IN      NS      c0.nic.sh.
sh.                     172800  IN      NS      a2.nic.sh.
sh.                     86400   IN      DS      55297 8 2 BA339AD6E081DAD292A3F473CBDD5ADC53A0222769A7C6125F506DD6 A813787F
sh.                     86400   IN      RRSIG   DS 8 1 86400 20221112170000 20221030160000 18733 . TpRC3vCXM+Grqeq433EqxzdM4nOBRsDBQyXgFeGA0AvwIKI2AvZbq+9w 7fR8hZN9inKDknPSrorwRmIs6N7wzJF2Xcinubv9/VIydPl+7esbEcfi 4yhA+jpb+R3zWPElP/uFgpGqPkm900wKoXEAo9PkUhFN+BgwjwSrvd2+ 3qc3hRKD9HBTYktQhNw0zregs+iUpdDoCNNWL1YbD84Wy0VnYgkqJwKM YDypmLH9+8IpGqOVMZMLN22X/TNFtnq9EfzwxN/2wsMvdEKLj697pw+s TNkMAP8dJ8G1gUrao7fUeFJ93wSpZjkwObUvvt15LnycSWIXBs7MNc6j aadYaw==
;; Received 623 bytes from 192.58.128.30#53(j.root-servers.net) in 4 ms

local-ip.sh.            3600    IN      NS      ns2.local-ip.sh.
local-ip.sh.            3600    IN      NS      ns1.local-ip.sh.
mci9ncnblgquoevrhl6iu1oet1rqmea4.sh. 3600 IN NSEC3 1 1 10 332539EE7F95C32A MCM97ECBOBN240E95GDE0TTL8EP5O0SF NS SOA RRSIG DNSKEY NSEC3PARAM
mci9ncnblgquoevrhl6iu1oet1rqmea4.sh. 3600 IN RRSIG NSEC3 8 2 3600 20221120222309 20221030212309 47916 sh. mXNVj5/CToswlpEGq07XOleJ44Gt2FgQ2qRSF9lL5EP8VQBZbEuKaWkE 6fV1ePXPP7algN49BbUv10/v13ODX2kihcdEqBqP3qNkAHAVTgrF7B4X N4/c55IvRpWuJTywKLDJ3ETQocPsvqW/ZhDxziLw2iSIZ9IlnMrCAMZt ZbQ=
n56jk7cb7o0k66krbdaiqs8595l3cc3t.sh. 3600 IN NSEC3 1 1 10 332539EE7F95C32A N8AD6L0KDBU315BUF71G0S81KV5J74LK NS DS RRSIG
n56jk7cb7o0k66krbdaiqs8595l3cc3t.sh. 3600 IN RRSIG NSEC3 8 2 3600 20221115155801 20221025145801 47916 sh. OAAWvClbPTIbv7RKAxPp1AlLypcY7uW4pFDB/fGO9AjmrRfErQBePcff q0olbxobWxOAHWShL4uNOZFRetTNNBxxLqnGkptu2oux86ZGPBCdpYyF h10c670YUGRM5LIOgZv9aScpi0taS+g1/Mvpc9x4drJ32t9abrNtItQa UQQ=
couldn't get address for 'ns2.local-ip.sh': failure
couldn't get address for 'ns1.local-ip.sh': failure
dig: couldn't get address for 'ns2.local-ip.sh': no more

Not sure what’s happening exactly but I have a feeling this has something to do with my certs problem

2

Bump, we’re more than a year later and I still haven’t found a solution to this problem. I would really love some help here.

3

There’s an issue in our networking stack preventing us from being able to reach Fly-hosted UDP services over IPv4 from Fly apps.

Our app that manages certificates is hosted on Fly itself and therefore cannot reach your DNS server.

We can assign an IPv4 that’s “edge-only” and will be reachable by Fly-hosted apps but you’ll have to change your ns1 and ns2 to point at it.

Edit: Let us know if you want us to do something about it (assign 1 or 2 edge-only IPs).

4

That makes a lot of sense, thanks for chiming in so quickly!

Yes please, assign 2 edge-only IP addresses to local-ip and I’ll change ns1. and ns2. to point at them.
Is this “edge-only” region coming any time soon to the flyctl ips allocate-v4 command or is it supposed to stay available only when necessary?

5

Alright, I have assigned 137.66.40.11 and 137.66.40.12 to your app.

Only when necessary :slight_smile: we only reserved a small range for this purpose. Hopefully this won’t be necessary in the future when we fix the internal routing issue.

6

Thanks, a lot I’ve changed ns, ns1, and ns2 records to point to these new IPs and I’ve changed the glue records to reflect those changes too.

The certificate has been issued correctly and the website is now accessible at the custom domain I set up. Merci beaucoup @jerome :smiley:

1 Like