How to set up a custom domain with A record?

nallwhy · June 6, 2022, 1:18pm

I tried to set up a domain json.media for my app json-corp.fly.dev 2 days before.

But it has not worked yet.

I set A/AAAA records and CNAME following the guide.

I’m not good at setting networks. What did I wrong?

ignoramous · June 6, 2022, 1:59pm

Your DNS records are right, and looks like you’ve issued (many) wildcard TLS certs (via Lets Encrypt / ISRG), too.

What’s terminating TLS? Fly edge or your application?

If you’ve generated the TLS certs for json.media outside of Fly, then your application needs to terminate TLS itself.
Or, if TLS certs for json.media are managed via flyctl, then things should work out-of-the-box but your application cannot possibly terminate TLS (only Fly edge can). Your app needs to then accept plaintext traffic.

If you’re okay, can you also share your app’s fly.toml and the language/runtime of your application?

nallwhy · June 6, 2022, 3:07pm

Thanks a lot!

This is my app’s fly.toml. My app is an elixir/phoenix application

# fly.toml file generated for json-corp on 2022-06-03T02:31:32+09:00

app = "json-corp"

kill_signal = "SIGINT"
kill_timeout = 5
processes = []

[build]
  builder = "heroku/buildpacks:20"
  buildpacks = ["https://cnb-shim.herokuapp.com/v1/hashnuke/elixir"]

[env]
  PORT = "8080"

[experimental]
  allowed_public_ports = []
  auto_rollback = true

[[services]]
  http_checks = []
  internal_port = 8080
  processes = ["app"]
  protocol = "tcp"
  script_checks = []

  [services.concurrency]
    hard_limit = 25
    soft_limit = 20
    type = "connections"

  [[services.ports]]
    force_https = true
    handlers = ["http"]
    port = 80

  [[services.ports]]
    handlers = ["tls", "http"]
    port = 443

  [[services.tcp_checks]]
    grace_period = "1s"
    interval = "15s"
    restart_limit = 0
    timeout = "2s"

ignoramous · June 6, 2022, 4:18pm

fly.toml looks right to me.

Btw, did you vend those wildcard certs for json.media through flyctl? If so, the output from this cmd should show 'em:

flyctl certs show json.media -a json-corp

nallwhy · June 6, 2022, 10:33pm

I only have a cert for *.json.media. How can I vend wildcard cert for json.media?

flyctl certs list -a json-corp

Host Name                 Added                Status
*.json.media              3 days ago           Ready

flyctl certs show "*.json.media" -a json-corp

The certificate for *.json.media has been issued.

Hostname                  = *.json.media

DNS Provider              = godaddy

Certificate Authority     = Let's Encrypt

Issued                    = rsa,ecdsa

Added to App              = 3 days ago

Source                    = fly

ignoramous · June 7, 2022, 3:57am

Considering the domain is either setup with A/AAAA records pointing to the IPv4/IPv6 of your Fly app json-corp (which they are right now):

First:

flyctl certs create json.media -a json-corp

Later:

flyctl certs show json.media -a json-corp

Apparently should show Configured = true and Status = Ready

ref.

You should delete those wildcard certs if you don’t need 'em. They aren’t free.

flyctl certs delete "*.json.media"

nallwhy · June 7, 2022, 8:39am

It works! Thank you

ignoramous · June 7, 2022, 9:07am

Yeah, it does work! Nice.

If you want to continue to use the wildcard cert, setup your DNS approp:

For ex:

# does not work because no such dns entry
curl https://random-63-chars.json.media  -v

# works because the query is resolved ahead-of-time with the right ipv4
curl https://random-63-chars.json.media --resolve 'random-63-chars.json.media:443:37.16.14.11' -v

Create a wildcard DNS entry through Fly dashboard, or if you’re ambitious, then via flyctl or Fly’s graphql endpoint.

Basically, dig random.json.media +short should return the same IPv4 as dig www.json.media +short (likewise for IPv6: dig AAAA random.json.media +short).

Or, you could delete the wildcard cert and generate just the one for www.json.media, if that makes sense?