I’m working on an app that automatically assigns subdomains to projects that people create through it (like Slack does with my-slack-org-name.slack.com subdomains for Slack orgs). People can also assign custom domains to projects they create on the app. I’m trying to evaluate which Elixir hosting service to use it on based (in part) on how easy/difficult it is to handle setting up custom domains and subdomains.
Gigalixir doesn’t limit the number of associated domains, except for adhering to Let’s Encrypt’s rate limits, and does let you assign them via an API, but for wildcards you have to provide certs yourself and contact them to get them setup — wildcard certs can’t be created via the API.
It looks like fly.io’s API lets you add custom domains including wildcards via the API. Is that correct? And are there limits to the number of domains that can be associated with a specific app?
Fly will happily vend wildcard certs and terminate TLS on your app’s behalf.
(Note: I haven’t tried those steps myself, but they seem pretty straight-forward. We instead vend wildcard certs from ZeroSSL and terminate TLS ourselves. How are you managing cert files with Fly?)
Create a fly-app.
Update DNS A / AAAA records (you want to generate certs for, say fly.domain.tld and *.fly.domain.tld) to point to your fly-app’s IPs fly ips list -a <fly-app-name> (fly uses ALPN challenges to procure certs?).
run flyctl certs create fly.domain.tld and flyctl certs create *.fly.domain.tld
Wildcard cert for *.fly.domain.tld can serve TLS for xyz.fly.domain.tld / 123.fly.domain.tld / <upto-any-63-chars>.fly.domain.tld but not for fly.domain.tld or abc.domain.tld or xyz.123.fly.domain.tld.
Single hostname cert for fly.domain.tld will serve TLS for fly.domain.tld alone, and nothing else. I am not sure how many single hostname certs fly allows per-app, but you’d not want to vend very many single hostname certs, anyway (given the logistics of it all).
Up to 10 fly-managed single hostname (dns name, ex: fly.domain.tld) certificates are free. Fly-managed wildcard certs (ex: *.fly.domain.tld) cost $2/mo.
@ignoramous posted a great answer. To add on, you can create an unlimited number of certificates on your Fly app. We can handle millions. This is part of why we have a certificate fee, it makes it very easy for us to justify scaling the certificate system as big as it needs to go.
That is great to hear! I just learned I was actually wrong about Gigalixir not having a cap on the number of custom domains you can have, so I’m pretty sure I’m gonna be migrating to Fly. Really appreciate the clarity!
Sorry for my lack of understanding. I have never done certs before myself. But if my domain was example.com and my app location was example.fly.dev, how would that change the above?
b. Or, through flyctl (as mentioned above): fly ips list -a example
Update A (IPv4) /AAAA (IPv6) DNS records (where ever they are: GoDaddy, Cloudflare, Namecheap, NS1, Route53, EasyDNS, etc) for example.com (optionally, for *.example.com) with IPs retrieved from step #2
Run flyctl certs create example.com (optionally, flyctl certs create *.example.com)
One simple question: For the 10 free certificates limit: if I created xyz.example.org certificate for one app, and the delete that app, then created the same xyz.example.org for another app. Will it be counted as one certificate or two? @kurt