Fly will happily vend wildcard certs and terminate TLS on your app’s behalf.
(Note: I haven’t tried those steps myself, but they seem pretty straight-forward. We instead vend wildcard certs from ZeroSSL and terminate TLS ourselves. How are you managing cert files with Fly?)
- Create a fly-app.
- Update DNS
A
/AAAA
records (you want to generate certs for, sayfly.domain.tld
and*.fly.domain.tld
) to point to your fly-app’s IPsfly ips list -a <fly-app-name>
(fly uses ALPN challenges to procure certs?). - run
flyctl certs create fly.domain.tld
andflyctl certs create *.fly.domain.tld
- Profit?
Wildcard cert for *.fly.domain.tld
can serve TLS for xyz.fly.domain.tld
/ 123.fly.domain.tld
/ <upto-any-63-chars>.fly.domain.tld
but not for fly.domain.tld
or abc.domain.tld
or xyz.123.fly.domain.tld
.
Single hostname cert for fly.domain.tld
will serve TLS for fly.domain.tld
alone, and nothing else. I am not sure how many single hostname certs fly allows per-app, but you’d not want to vend very many single hostname certs, anyway (given the logistics of it all).
Up to 10 fly-managed single hostname (dns name, ex: fly.domain.tld
) certificates are free. Fly-managed wildcard certs (ex: *.fly.domain.tld
) cost $2/mo.