How to get certs DNS validation target?

chloerei · February 1, 2022, 2:31pm

I want to use cloudflare to defend ddos, so I use cloudflare proxy mode. There was a problem generating the certificate.

According to the documentation, fly.io can use DNS challenge when generating certificates, but I can’t find the value that DNS challenge needs to set.

Document: SSL for Custom Domains

$ flyctl certs show example.com
...
  DNS Provider                = dnsimple
  DNS Validation Instructions = CNAME _acme-challenge.example.com => example.com.o055.flydns.net.
  DNS Validation Hostname     = _acme-challenge.example.com
  DNS Validation Target       = example.com.o055.flydns.net
...

What I get (hide domain info):

$ flyctl certs show <my-domain>
Hostname                  = <my-domain>
DNS Provider              = 
Certificate Authority     = Let's Encrypt
Issued                    = 
Added to App              = 25 minutes ago
Source                    = fly

...

You can configure your DNS for <my-domain> by:

1: Adding an CNAME record to your DNS service which reads:

    CNAME <subdomain>. <app>.fly.dev

How can I get the DNS Validation Target value? Or am I misunderstanding the DNS challenge?

greg · February 1, 2022, 4:49pm

I’ve done that, same as you, using the Cloudflare proxy in front of a Fly app.

Perhaps the docs are out of sync, not sure, but in the meantime you can get that DNS Validation CNAME from the Fly dashboard. Sign in from fly.io, click on your app, click on ‘Certificates’, and then on the ‘View’ button to see its details.

The CNAME you need to add will probably be like domain.abcd.flydns.net. That extra DNS entry will need to be grey-cloud (non proxy) in Cloudflare.

chloerei · February 1, 2022, 5:48pm

That’s what I need, thanks!

I found that I still need to turn off proxy mode for the domain verification to pass. I don’t know if opening the proxy later will affect the certificate renew.

Anyway, I finally created a certificate.

CanRau · December 8, 2022, 7:24pm

Yea a little sad that the CLI doesn’t show this info anymore

dmmettlach · October 7, 2023, 5:19pm

FWIW, I was able to get this info using the json output flag eg

$ flyctl certs show <domain> -j
The certificate for <domain> has been issued.

{
    "ID": "",
    "AcmeDNSConfigured": ,
    "AcmeALPNConfigured": ,
    "Configured": ,
    "CertificateAuthority": "lets_encrypt",
    "CreatedAt": "",
    "DNSProvider": "",
    "DNSValidationInstructions": ...,
    "DNSValidationHostname": ...,
    "DNSValidationTarget":...,
   ...
}

Topic		Replies	Views
Verifying a wildcard domain on cloudflare Questions / Help	8	948	October 19, 2022
Can I use CloudFlare proxying with Fly certificates ? Questions / Help	14	5094	October 19, 2023
bypassing certificate DNS validation certificates	4	264	December 3, 2023
Unable to get SSL cert issued with Cloudflare proxy Questions / Help	3	1574	May 3, 2022
SSL renewal when using Cloudflare Proxy Questions / Help certificates	4	671	December 25, 2023

How to get certs DNS validation target?

Related topics