I tried to set up a domain json.media for my app json-corp.fly.dev 2 days before.
But it has not worked yet.
I set A/AAAA records and CNAME following the guide.
I’m not good at setting networks. What did I wrong?
Your DNS records are right, and looks like you’ve issued (many) wildcard TLS certs (via Lets Encrypt / ISRG), too.
What’s terminating TLS? Fly edge or your application?
- If you’ve generated the TLS certs for
json.mediaoutside of Fly, then your application needs to terminate TLS itself. - Or, if TLS certs for
json.mediaare managed viaflyctl, then things should work out-of-the-box but your application cannot possibly terminate TLS (only Fly edge can). Your app needs to then accept plaintext traffic.
If you’re okay, can you also share your app’s fly.toml and the language/runtime of your application?
Thanks a lot!
This is my app’s fly.toml. My app is an elixir/phoenix application
# fly.toml file generated for json-corp on 2022-06-03T02:31:32+09:00
app = "json-corp"
kill_signal = "SIGINT"
kill_timeout = 5
processes = []
[build]
builder = "heroku/buildpacks:20"
buildpacks = ["https://cnb-shim.herokuapp.com/v1/hashnuke/elixir"]
[env]
PORT = "8080"
[experimental]
allowed_public_ports = []
auto_rollback = true
[[services]]
http_checks = []
internal_port = 8080
processes = ["app"]
protocol = "tcp"
script_checks = []
[services.concurrency]
hard_limit = 25
soft_limit = 20
type = "connections"
[[services.ports]]
force_https = true
handlers = ["http"]
port = 80
[[services.ports]]
handlers = ["tls", "http"]
port = 443
[[services.tcp_checks]]
grace_period = "1s"
interval = "15s"
restart_limit = 0
timeout = "2s"
fly.toml looks right to me.
Btw, did you vend those wildcard certs for json.media through flyctl? If so, the output from this cmd should show 'em:
flyctl certs show json.media -a json-corp
I only have a cert for *.json.media. How can I vend wildcard cert for json.media?
flyctl certs list -a json-corp
Host Name Added Status
*.json.media 3 days ago Ready
flyctl certs show "*.json.media" -a json-corp
The certificate for *.json.media has been issued.
Hostname = *.json.media
DNS Provider = godaddy
Certificate Authority = Let's Encrypt
Issued = rsa,ecdsa
Added to App = 3 days ago
Source = fly
Considering the domain is either setup with A/AAAA records pointing to the IPv4/IPv6 of your Fly app json-corp (which they are right now):
First:
flyctl certs create json.media -a json-corp
Later:
flyctl certs show json.media -a json-corp
Apparently should show Configured = true and Status = Ready
ref.
You should delete those wildcard certs if you don’t need 'em. They aren’t free.
flyctl certs delete "*.json.media"
1 Like
It works! Thank you 
Yeah, it does work! Nice.
If you want to continue to use the wildcard cert, setup your DNS approp:
For ex:
# does not work because no such dns entry
curl https://random-63-chars.json.media -v
# works because the query is resolved ahead-of-time with the right ipv4
curl https://random-63-chars.json.media --resolve 'random-63-chars.json.media:443:37.16.14.11' -v
Create a wildcard DNS entry through Fly dashboard, or if you’re ambitious, then via flyctl or Fly’s graphql endpoint.
Basically, dig random.json.media +short should return the same IPv4 as dig www.json.media +short (likewise for IPv6: dig AAAA random.json.media +short).
Or, you could delete the wildcard cert and generate just the one for www.json.media, if that makes sense?
1 Like