Fly will happily vend wildcard certs and terminate TLS on your app’s behalf.
(Note: I haven’t tried those steps myself, but they seem pretty straight-forward. We instead vend wildcard certs from ZeroSSL and terminate TLS ourselves. How are you managing cert files with Fly?)
- Create a fly-app.
- Update DNS
A/AAAArecords (you want to generate certs for, sayfly.domain.tldand*.fly.domain.tld) to point to your fly-app’s IPsfly ips list -a <fly-app-name>(fly uses ALPN challenges to procure certs?). - run
flyctl certs create fly.domain.tldandflyctl certs create *.fly.domain.tld - Profit?
Wildcard cert for *.fly.domain.tld can serve TLS for xyz.fly.domain.tld / 123.fly.domain.tld / <upto-any-63-chars>.fly.domain.tld but not for fly.domain.tld or abc.domain.tld or xyz.123.fly.domain.tld.
Single hostname cert for fly.domain.tld will serve TLS for fly.domain.tld alone, and nothing else. I am not sure how many single hostname certs fly allows per-app, but you’d not want to vend very many single hostname certs, anyway (given the logistics of it all).
Up to 10 fly-managed single hostname (dns name, ex: fly.domain.tld) certificates are free. Fly-managed wildcard certs (ex: *.fly.domain.tld) cost $2/mo.