fly.io: can you please clear certificate cache for *.azezment.com at ewr edge

background:

The app name is azezment region iad with a cert on *.azezment.com.
I have another app called azezment-dev in dfw with it’s own cert on dev.azezment.com

Here are some examples of issues:

1. Users are having connectivity issues, Connection closed errors on browser as they redirect from Google Gmail oAuth2 workflow.

2. Some users are reporting browser errors: “This site can’t provide a secure connection www.azezment.com sent an invalid response. ERR_SSL_PROTOCOL_ERROR.

3. I’ve gotten the same error, infrequently, but it goes away.

summary: Intermittent, it works for me most of the time, but not others real-time in trouble-shooting. All in NY Metropolital area (any casting to ewr) problem fixes itself while trouble-shooting.

1. app: single machine , single region app azezment originally deployed in ewr, but I moved it to iad on 12/5/25.
2. deployed new certificate “*.azezment.com” 2 weeks old.

put header in app:

curl -I ``https://azezment.com`` | grep -i “fly-prefer-region”
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 31 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
fly-prefer-region: iad

yet still routing via ewr:

curl -sI https://azezment.com | grep -E “fly-request-id|via”

via: 2 fly.io, 2 fly.io
fly-request-id: 01KE5M787BKE3X9DCBQ6PWQEJT-ewr

help: fly.io: can you please clear certificate cache for *.azezment.com at ewr edge . Any other ideas ?

Hi again… I don’t know the certificates side, but the fly-prefer-region header is being used incorrectly there. It’s the clients that would need to set that, given that it’s a request header.

Anyway, it’s not clear to me that you really need to override anything in terms of regions. I tried a request to azezment.com from a location in the greater NYC area, and it did connect to an iad Machine of yours.

Perhaps you’re misunderstanding the -ewr suffix on the fly-request-id? That only shows where the Fly.io infrastucture received the request initially, before forwarding it on to your actual Machine, and you don’t really have control over that first connection.

The way to see which server region the ultimately responding Machine is in is via the flyio-debug: doit header on the client side. Look in the sr field of the returned JSON blob.

$ curl -s -I -H 'flyio-debug: doit' 'https://azezment.com/' | \
  grep -P -i 'flyio-debug|fly-request-id'
fly-request-id: 01KE5R2FZF9NGDXC0TQ7EX90AJ-ewr
flyio-debug: {"n":"worker-cf-ewr1-9795","nr":"ewr",
              "ra":"2605:4c40:222:9795:0:5943:6973:1",
              "rf":"Verbatim",
          →   "sr":"iad","sdc":"ash1","sid":"d8d1790c2d66d8",
              "st":0,"nrtt":0,"bn":"worker-lsh-ash1-103b",
              "mhn":"edge-cf-iad2-bf81","mrtt":7}

(Whitespace and arrow added for legibility.)

Thank you for your response.

my fly-prefer-region was my attempt to unsuccessfully fix the problem. Thanks for clarifying.

However, the problem is real, still happening and appears intermitent , depending on your network? not sure.

For example, happening right now:

1. if I’m connected to my Wifi Optimum ISP , my phone can get to “azezment.com, no issues

optimum-isp-provider-working1179×2556 348 KB

2. but if turn off my wifi and go on T-Mobile data 5G, then it does not work: azezment.com .

t-mobile-data-not-working1179×2556 130 KB

I just got another person calling me to report an outage from their network ( Fios ), and it’s the same issue. They happen to live in Port Washington, Long Island NY.

Notice the ERR_SSL_PROTOCOL_ERROR , which might be a certificate issue.
Can you please help ? or have someone in the proxy/certs area look into it please ?

I see “no hits” coming to the application when the ERR_SSL_PROTOCOL_ERROR happens, so it can’t be the application or my setup. Or if it is, I’m at a dead end and can only hope fly . io can fix it on their side and point me in the right direction .

Thanks in Advance to the Fly Team ,

Hm… Is it strictly necessary to have the dev.azezment.com domain? I’m suspicious of the overlap between that and the *.azezment.com wildcard, but I don’t know for sure that’s a problem…

(The second, failing screenshot shows www.azezment.com, which would fall under the wildcard, whereas the working azezment.com does not, if I remember correctly.)

I don’t work at Fly.io, but, in my opinion, if you have lots of users relying on your service, then you probably want at least the basic Support Plan.

Is it possible to try a curl -v from an IP that does not work (i.e. seeing this SSL protocol error)? Usually if this is intermittent, it is not a certificate issue but rather our edge proxies not finding your app somehow. This could be due to a variety of reasons, and curling with verbose output could help here.

EDIT: I found out why:

[peter@frmwk ~]$ dig AAAA www.azezment.com

; <<>> DiG 9.20.17 <<>> AAAA www.azezment.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52684
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.azezment.com.		IN	AAAA

;; ANSWER SECTION:
www.azezment.com.	1799	IN	AAAA	2a09:8280:1::8d:e83b:0

;; AUTHORITY SECTION:
azezment.com.		1800	IN	NS	dns1.registrar-servers.com.
azezment.com.		1800	IN	NS	dns2.registrar-servers.com.

;; Query time: 36 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Jan 05 09:58:22 EST 2026
;; MSG SIZE  rcvd: 129

The AAAA record on www.azezment.com (NOT the one without www.) resolves to a different IPv6 address that doesn’t seem to correspond to any app here. The correct IPv6 for your app is 2a09:8280:1::b7:abf7:0 and your bare domain azezment.com resolves correctly:

[peter@frmwk ~]$ dig AAAA azezment.com

; <<>> DiG 9.20.17 <<>> AAAA azezment.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25472
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;azezment.com.			IN	AAAA

;; ANSWER SECTION:
azezment.com.		1799	IN	AAAA	2a09:8280:1::b7:abf7:0

;; Query time: 39 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Jan 05 09:59:20 EST 2026
;; MSG SIZE  rcvd: 69

Depending on whether you have IPv6 connectivity or whether IPv6 is preferred on each of them, you may end up getting resolved to that wrong IPv6 and your website would not work in that case.

FIXED.
I removed some extra apps I had created before.
not sure why the proxy got confused, but this fixed it.

~ 13:39 % fly app destroy fly-builder-white-snow-433
Destroying an app is not reversible.
? Destroy app fly-builder-white-snow-433? Yes
Destroyed app fly-builder-white-snow-433
~ 13:39 % fly app destroy azezment-damp-grass-2453
Destroying an app is not reversible.
? Destroy app azezment-damp-grass-2453? Yes
Destroyed app azezment-damp-grass-2453

======= here’s my issue before I found the FIX ================

Thanks,

Good catch.
I corrected it on DNS and verified it. But still not working, Proxy doesn’t seem to see it, cause I don’t even get any traffic on the machine.
I tried the visit the app at https://azezment.fly.dev/ , which should work, but it doesn’t either. Doesn’t make sense.

Thanks again, here’s my trace:

; <<>> DiG 9.10.6 <<>> AAAA www.azezment.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50553
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.azezment.com.		IN	AAAA

;; ANSWER SECTION:
www.azezment.com.	52	IN	AAAA	2a09:8280:1::b7:abf7:0

;; Query time: 14 msec
;; SERVER: 192.168.68.1#53(192.168.68.1)
;; WHEN: Mon Jan 05 11:55:52 EST 2026
;; MSG SIZE  rcvd: 73

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.