Limitations with respect to wildcard certs or domains per app?

I’m working on an app that automatically assigns subdomains to projects that people create through it (like Slack does with my-slack-org-name.slack.com subdomains for Slack orgs). People can also assign custom domains to projects they create on the app. I’m trying to evaluate which Elixir hosting service to use it on based (in part) on how easy/difficult it is to handle setting up custom domains and subdomains.

Heroku has a limit of 1000 custom domains per app, which makes it a non-starter for my project.

Gigalixir doesn’t limit the number of associated domains, except for adhering to Let’s Encrypt’s rate limits, and does let you assign them via an API, but for wildcards you have to provide certs yourself and contact them to get them setup — wildcard certs can’t be created via the API.

It looks like fly.io’s API lets you add custom domains including wildcards via the API. Is that correct? And are there limits to the number of domains that can be associated with a specific app?

1 Like

Fly will happily vend wildcard certs and terminate TLS on your app’s behalf.

(Note: I haven’t tried those steps myself, but they seem pretty straight-forward. We instead vend wildcard certs from ZeroSSL and terminate TLS ourselves. How are you managing cert files with Fly?)

  1. Create a fly-app.
  2. Update DNS A / AAAA records (you want to generate certs for, say fly.domain.tld and *.fly.domain.tld) to point to your fly-app’s IPs fly ips list -a <fly-app-name> (fly uses ALPN challenges to procure certs?).
  3. run flyctl certs create fly.domain.tld and flyctl certs create *.fly.domain.tld
  4. Profit?

Ref: SSL for Custom Domains

Wildcard cert for *.fly.domain.tld can serve TLS for xyz.fly.domain.tld / 123.fly.domain.tld / <upto-any-63-chars>.fly.domain.tld but not for fly.domain.tld or abc.domain.tld or xyz.123.fly.domain.tld.

Single hostname cert for fly.domain.tld will serve TLS for fly.domain.tld alone, and nothing else. I am not sure how many single hostname certs fly allows per-app, but you’d not want to vend very many single hostname certs, anyway (given the logistics of it all).

Up to 10 fly-managed single hostname (dns name, ex: fly.domain.tld) certificates are free. Fly-managed wildcard certs (ex: *.fly.domain.tld) cost $2/mo.

2 Likes

@ignoramous posted a great answer. To add on, you can create an unlimited number of certificates on your Fly app. We can handle millions. This is part of why we have a certificate fee, it makes it very easy for us to justify scaling the certificate system as big as it needs to go.

2 Likes

That is great to hear! I just learned I was actually wrong about Gigalixir not having a cap on the number of custom domains you can have, so I’m pretty sure I’m gonna be migrating to Fly. Really appreciate the clarity!

1 Like

Sorry for my lack of understanding. I have never done certs before myself. But if my domain was example.com and my app location was example.fly.dev, how would that change the above?

  1. You’d then be generating certs for example.com (optionally, for *.example.com)

  2. Find the IPs (any one is also enough) serving example.fly.dev and use that in step #3

    a. You can find the IP here: DNS-Lookup - The Professional Free DNS Lookup Checker Tool

    b. Or, through flyctl (as mentioned above): fly ips list -a example

  3. Update A (IPv4) /AAAA (IPv6) DNS records (where ever they are: GoDaddy, Cloudflare, Namecheap, NS1, Route53, EasyDNS, etc) for example.com (optionally, for *.example.com) with IPs retrieved from step #2

  4. Run flyctl certs create example.com (optionally, flyctl certs create *.example.com)

Maybe a dumb question… isn’t a CNAME from example.com to example.fly.dev enough?

Yes, CNAMEs should work for sub-domains (ie *.example.com or www.example.com), but one can’t CNAME the apex (aka example.com).

No I mean CNAME from example.com to example.fly.dev instead of the above.

Ah, I see…

Fly indeed has added a new way to ACME: How to get certs DNS validation target?

1 Like