*.fly.dev SSL certificate expiration


It looks like SSL certificate for *.fly.dev domain was not renewed, now it’s less than 2 weeks left…

Could somebody from the fly team look into this?

* Server certificate:
*  subject: CN=*.fly.dev
*  start date: Jan 22 23:19:23 2023 GMT
*  expire date: Apr 22 23:19:22 2023 GMT


Given the duration (90 days) I would guess it’s a Let’s Encrypt one. So it’s possible it has been renewed but it’s still using a cached one:

However yes, it’s worth flagging just in case there is any issue with auto-renewing that one.

1 Like

We’re looking into it.

1 Like

Thanks you pointed me to the issue, and @jerome said there were a bug.
Could this be the same or another bug?

1 Like

This is probably just a cached cert issue. Two weeks is plenty. We should have updated this 2 weeks ago but that’s part of why we have this buffer. :slight_smile:


I use my own monitoring solution, that is also checking 2 weeks SSL expiration (among other things), and few of its instances is pinging each other.
So I catched that. :slight_smile:

Hi guys, new here, so please bear with me. I am not sure if it’s related (probably not, as the certificate is valid now), but some of the users of my app get a malicious website notification in their browser. Does that have anything to do with the reputation of the fly.dev domain (I am not using a custom domain), or what could be the issue here?

fly.dev is in the public suffix list, so the services that mark things “malicious” should treat xyz.fly.dev and example.fly.dev as entirely different domains.

There are bad services that don’t respect this though. What I would do is get as many details as possible on the error, try to figure out if it’s domain or IP address related, and then consider:

  • Adding a dedicated IP (shared IPs are prone to these alerts) with fly ips allocate-v4
  • Using a customer domain + certificate

I think doing both of those will clear those warnings up, even for the subpar services.


Thank you very much! I calmed everyone down by showing them that everything seems secure and I’ll look into whether I need to follow your suggestions or people can just ignore the message.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.