Misleading command line prompts for creating a certificate

divby0 · August 2, 2022, 8:22am

I used flyctl certs create "*.validate.run" and I got this:

You are creating a wildcard certificate for *.validate.run
We are using lets_encrypt for this certificate.

You can validate your ownership of *.validate.run by:

1: Adding an AAAA record to your DNS service which reads:

    AAAA @ 2a09:8280:1::3:484c

 OR

1: Adding an CNAME record to your DNS service which reads:

    CNAME _acme-challenge.validate.run => validate.run.9o0nx.flydns.net.

From what I understand, this means that the AAAA record is enough to validate ownership. I thought “well that’s probably some new thing, let’s just follow it”. Turns out it doesn’t work and I didn’t figure out what I need to do until I went to the GUI website and there the OR was gone. Suddenly the CNAME record is the only way to verify ownership (which makes sense)

eli · August 2, 2022, 3:15pm

Good catch! A DNS01 challenge is the only way to validate a wildcard cert using Let’s Encrypt on Fly.

Thanks for pointing this out! Flyctl’s instructions aren’t correct, so following the web ui was the right move. I’ve made a note of this so that we can get better instructions out to flyctl sometime soon

divby0 · August 2, 2022, 6:11pm

Perfect, I only wanted to point out so you have it noted somewhere and it’s not overlooked. It worked flawless with the cname record instruction, I am really happy with how easy fly makes SSL certs

Topic		Replies	Views
Subdomains and SSL generation Questions / Help	10	2141	August 10, 2021
Stuck on “Awaiting certificates” for wildcard domain	7	386	February 17, 2022
Certificate validation not working?	16	573	November 16, 2022
bypassing certificate DNS validation certificates	4	169	December 3, 2023
Single validation for domain and its subdomains	8	515	August 26, 2020

Misleading command line prompts for creating a certificate

Related Topics