HTTPS Checks now support true TLS certificate verification

Have you had the need to end TLS on your end instead of Fly’s proxy?

If that is the case, you may have wanted to add service’s checks over HTTPS (not plain http).

internal_port = 443
protocol = "tcp"

port = 443
# Notice there are no handlers for this port, usually it is: handlers = ["tls", "http"]

interval = "1s"
protocol = "https"
path = "/status"

Until today, FLY supported https checks but it couldn’t verify the TLS certificates served by your web app.

As it run requests using the machine IP address like in, the returned certificate can’t be validated unless we provide the SNI.

The usual workaround was to add tls_skip_verify = true to the check definition.

Starting with flyctl v0.1.65 you can set your tls cert hostname with tls_server_name service keyword.

for our example to work, all its need is tls_server_name as:

interval = "1s"
protocol = "https"
path = "/status"
tls_server_name = ""

Behind the scenes we use Hashicorp’s Consul to run health checks, tls_server_name and its cousin tls_skip_verify are one-to-one mappings of Consul’s:

HTTP checks expect a valid TLS certificate by default. You can disable certificate verification by setting the tls_skip_verify field to true. When using TLS and a host name is specified in the http field, the check automatically determines the SNI from the URL. If the http field is configured with an IP address or if you want to explicitly set the SNI, specify the name in the tls_server_name field.

happy certificate verifications!