How long does it take for HTTPS certs to be created? (Cloudflare + Fly)

1

Is anyone using Cloudflare with Fly? Fly makes it easy to set up, but I can’t get past “SSL handshake failed Error code 525” errors.

I followed this excellent tutorial:
Using Fly.io for Hosting and Cloudflare for DNS
Morgan Kartchner - Blog - Using Fly.io for Hosting and Cloudflare for DNS

I also read this documentation:

I have configured Cloudflare like this:

  • CNAME (proxy) to my Fly project URL
  • CNAME (no proxy) to “_acme-challenge” provided by Fly during “fly certs add”

I have configured Fly like this:

  • I ran “fly certs add mydomain.com
  • But “fly certs show mydomain” doesn’t list an issue date.
  • The LetsEncrypt "Lets Debug " DNS test passed OK. https://letsdebug.net
  • The dashboard shows that the CNAME matches what they expect.

When will my certs be created? Do I need to wait more hours, or is there a problem stopping this from working?

2

Hi,

If all is well (both at Fly’s end, and Let’s encrypt’s) it should be seconds/minutes :thinking:

But … I recall adding Cloudflare in to the mix adding complexity because (naturally) it intercepts the requests and so does not return the expected A/AAAA values. As you describe, the solution should (in theory) be to add a sibling non-proxied (aka grey cloud) record which has the acme challenge value. That should be sufficient to pass the validation.

However it may be complicated if using an apex domain. I’m not sure if you mention mydomain.com for brevity or whether it’s an actual apex but there may be a difference between requesting a cert for:

example.com
*.example.com (ie a wildcard one)
www.example.com (specific subdomain).

… at least based on the numerous replies to this thread. I recall a while back that e.g www.example.com proxied (orange cloud) behind Cloudflare (with the sibling non-proxied acme challenge record) was near-instant … but using e.g example.com with the same setup wasn’t:

Perhaps someone who has done it more recently will have more knowledge :thinking:

1 Like
3

I got this working, but I’m not certain it was the right way to do it.

  1. I changed my apex domain “wackywordcraft.com” from a CNAME (alias) to A and AAAA records.
  2. I disabled Proxy (orange cloud) on Cloudflare
  3. The certs appeared almost instantly after that!
  4. I re-enabled Proxy (orange cloud) on Cloudflare
  5. Things still work!

Here is my current status, after re-enabling proxy on Cloudflare

image
image1251×162 10.3 KB

However, I don’t know if the cert will automatically renew with this setup. I might find that in 90 days my cert will expire and my site will break. Any thoughts on this?

4

Ah … ok … so yep that will solve it for now. Disabling Cloudflare and then requesting the certificate means it behaves as if it will never be there. Hence it all works and the certificate arrives.

However yep, you correctly point out the problem then moves to renewing it in X months. Since the same thing will happen then. Fly will check your apex domain, not get the expected response, and (I assume) would therefore once again fail the validation.

The question is what happens then :thinking:.

Cloudflare would now be handling the client TLS bit, using its certificate. As you can see in your browser by clicking on the little icon to the left of the address bar. Fly not being able to re-validate its certificate would mean that one expires … but the Cloudflare one would still be ok. I don’t know what impact that has, if any, on the internal Cloudflare → Fly part.

I wonder if you would need its “Flexible” mode :thinking:

It would need someone else who has done this to say definitively either way.

5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.