Hello,
We are using Cloudflare’s Custom Hostnames for SAAS feature. This means our clients can point their domains to a CNAME we provide, and Cloudflare manages the certificate, allowing the clients’ domains to use Cloudflare’s proxy (orange cloud) and benefit from all its features.
However, for it to work with our app on fly.io, we need to set the SSL mode to Full and disable strict mode because we cannot generate a valid SSL certificate for these clients’ domains on fly.io. It works like this:
[http_service.tls_options]
alpn = [“h2”, “http/1.1”]
versions = [“TLSv1.2”, “TLSv1.3”]
default_self_signed = true
So far, so good, but we started experiencing problems a day ago when several of these client domains renewed, causing intermittent 525 SSL handshake errors when reaching our application on fly.io.
By chance, we deployed the project with default_self_signed set to false in the .toml file and then set it back to true.
This change seems to have created a new certificate, and everything is now working without interruptions.
The question is, is this an issue you can resolve, or is there a way we can force the renewal of this self-signed certificate?
Thank you.