Is it possible to use certmagic with Fly?

My issue is that I need to enable http2 with my SaaS and unless I’m serving over TLS, I cannot do that. As I have multiple domains proxied through my server, I turned to certmagic.

Rather than the standard logs I get from certmagic, I’m seeing “86.109.12.167:36636” when I try to connect with my domain.

Any idea of where I should look to solve my problem?

Edit:

On this test it shows I can’t even connect to the server.

My Docker image works well locally, and I’m reusing a fly.toml from a different project.

app = "test-ssl"

[[services]]
    internal_port = 443
    protocol = "tcp"

    [services.concurrency]
        hard_limit = 1000
        soft_limit = 800

    [[services.ports]]
        handlers = ["http"]
        port = "80"

    [[services.ports]]
        handlers = ["tls", "http"]
        port = "443"

    [[services.tcp_checks]]
        interval = 10000
        timeout = 2000

Just to make sure I understand, you need SSL for your customers, and want http2? Both of those things work with Fly, you can add certificates to your app with flyctl certs add and http2 just works.

There’s not currently another way to use http2.

You could, theoretically, get certmagic to work but you’d need to somehow teach it how to store certificates on s3 or similar. Then you can turn off the tls and http handlers in the config and handle all SSL yourself. Most people don’t actually want to do this though!

Kurt, looking back at the last two days of wrestling with http2 and ssl’s I realized if I just took two seconds to look at the network services section, specifically around h2c, I would be two days further into my project. Thank you for your response.

And yes, managing SSL’s lifecycle outside of fly sounds like a nightmare. I’m glad I can just wrap my handler with some h2c magic.

Out of curiosity, why can’t I use http2 if I managed the handlers myself?

Actually I was mistaken, if you handle TLS yourself you can do your own http2. If you have us do TLS, and then turn off the HTTP handler, we don’t currently send the ALPN header for http2.

Makes sense, thank you.

I’ll just stick to your very reasonably priced SSL on demand. With the new pricing are there any talks about changing the pricing structure for SSL?

Certificates might be the only pricing we got right on the first try.

We’ll probably include some number of certs in whatever our base “plan” is when we redo pricing, but only ~20 and keep the pricing the same for extra.

Thank goodness! Good luck on your repricing adventures. If you ever want to talk shop on marketing let me know. I’m a marketing consultant gone SaaS dev and always enjoy passing around ideas with cool companies.

@kurt maybe mention for completeness the option to get the static IPv4 address for an app?

If I offered a blogging engine and let all my users set their own domains, for example, I’d buy a static IP4 address from Fly, ask all my users to point their CNAMES to it, enable only the TCP handler on Fly config, and tell certmagic to do its thing, right?

@sudhir.j We have a lot of people running those types of apps on Fly, we even have a guide! https://fly.io/docs/app-guides/custom-domains-with-fly/

No one I know of is running certmagic, though, because it’s complicated to verify domain ownership. You can issue certificates for any hostname pointed at an IP, but it’s not a good idea. Companies don’t clean up their DNS entries, so subdomain takeover attacks are a big problem: https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

A guide for using Caddy/certmagic with S3 on Fly would be pretty neat, though.