I have generated a wildcard SSL certificate using fly cers create "*.ourdomainname.co.uk" -a <our-app-name>
and verifying ownership successfully by setting the _acme_challenge CNAME, but the RSA and ECDSA seems to have not been generated successfully after over 12 hours.
I have been through this flow a few times with fly and the same domain in the last few days and it always worked fine after around an hour.
I recently deleted the certificate and then recreated it in an attempt to fix the issue, but it was instantly created in the same state as it was before.
So this hit a rate limit on Lets Encrypt I haven’t seen before:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: *.ourdomain.co.uk: see https://letsencrypt.org/docs/rate-limits/
I’m not sure we can do anything about that other than just wait it out.
Would it be possible to make certificates app-independent and be able to attach and detach them to apps? In particular for wildcard certificates such as here, this would make a lot of sense
I had same issue recently with one of my app. I tried to delete and redeploy the app also, waited to regenerate SSL after a day. But still the SSL is pending and awaiting response from Let’s Encrypt.
Those dns settings should work, as far as I can tell
There are a couple of things that you might want to check:
I can see that you’re using Cloudflare for your DNS provider. Cloudflare settings can be a bit of a sticking point, so it’s worth a quick look to see if you need to rule anything out with that config.
The following posts have some good discussion on the topic (you may have already seen these, but just in case)
Since you do have things set up for a dns-01 challenge, I’d guess that this would work even with Cloudflare proxy set.
You could also get a wildcard cert for your domain (for an extra $2/month). As you pointed out, it does look like you have a valid cert for the www subdomain; having a wildcard might be worth down the road it if you’re planning on needing many more.
Are you able to see what certs are listed for your app with fly certs list ? Does the validation target you have in your _acme-challenge match what you’d see in fly certs show typekitproxy.com?
Finally, how did you set things up with your www subdomain? I don’t see an _acme-challenge listed for it, so I’d guess that you used some other method for it.
Hi kurt,
I’ve got the same problem. I have recreated the same certificate multiple times in one day. It was all green during the first attemps by at a certain point I started getting the same situation on the screen.
