Fly Certificate confirmation requirements changing week to week

I’m running into an issue with certs failing to work a week after successful issuance and confirmation.

Week 1 (last week):

  • issue certs for myapp.fly.dev to mydomain.com and myotherdomain.com
  • confirm cert by adding AAAA record (for both subdomain and root certs) as suggested by CLI on both domains
  • fly certs check {domain} for both domains, successful issuance
  • it all works perfectly

Week 2 (this week):

  • get DNS_PROBE_FINISHED_NXDOMAIN error for all certs
  • try clearing cookies, cache, etc.; nothing works
  • fly certs remove {url}
  • fly certs add {url}
  • remove old AAAA DNS record, add new CNAME (for subdomain) or A (for root) record as suggested by CLI
  • it works again

My domains are owned on Namecheap, DNS managed by CloudFlare, proxy settings turned off for both domains. The project I’m working on heavily relies on a stable DNS/certificate setup for many different domains, subdomains, and wildcard certs, and this is a real blocker to using Fly.io.

So my questions are:

  1. Has anyone else bumped into this issue?
  2. Am I missing something obvious in this setup that would clearly cause this behavior?
  3. Have the certification validation requirements (AAAA vs A vs CNAME for domains/subdomains) changed on Fly.io’s side since last week?
  4. Are there documented issues with using CloudFlare for DNS routing, even if proxying is turned off? I know there have previously issues with CloudFlare proxying, but I’ve never had an issue with the DNS setup before.

@fly any help here?

Hi @russellromney! I’m not aware of any certificate validation requirements that have changed recently. Also, once the certificate is successfully issued, it should be valid for 90 days, so I’d expect the previously issued, working certificate to still be in use in week 2 without renewal.

The DNS_PROBE_FINISHED_NXDOMAIN error makes me think this is actually a strictly DNS-related issue. From your description, it seems like you added only an AAAA record the first time? If so, then this would make your site effectively IPv6 only. If you have both public IPv4 and IPv6 addresses for your app (check fly ips list), then you can add both A (IPv4) and AAAA (IPv6) records for your domain so that it can be accessed over both protocols.

This is just a guess, but I’m wondering if you changed locations or ISPs between week 1 and week 2 and ended up on an IPv4-only connection in week 2, so you that could no longer access the site. If that’s the case, then changing to A+CNAME like you did indeed would have fixed this.

If this sounds plausible and everything is working for you now, then I’d just suggest adding AAAA records where you’ve already set A records. If not, let me know!

2 Likes

Okay thanks that is super super useful to know! Indeed I had switched locations while working remotely. Maybe that could be a useful note to add for the documentation or the CLI DNS prompts for fly certs add

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.