Misleading command line prompts for creating a certificate

I used flyctl certs create "*.validate.run" and I got this:

You are creating a wildcard certificate for *.validate.run
We are using lets_encrypt for this certificate.

You can validate your ownership of *.validate.run by:

1: Adding an AAAA record to your DNS service which reads:

    AAAA @ 2a09:8280:1::3:484c


1: Adding an CNAME record to your DNS service which reads:

    CNAME _acme-challenge.validate.run => validate.run.9o0nx.flydns.net.

From what I understand, this means that the AAAA record is enough to validate ownership. I thought “well that’s probably some new thing, let’s just follow it”. Turns out it doesn’t work and I didn’t figure out what I need to do until I went to the GUI website and there the OR was gone. Suddenly the CNAME record is the only way to verify ownership (which makes sense)

Good catch! A DNS01 challenge is the only way to validate a wildcard cert using Let’s Encrypt on Fly.

Thanks for pointing this out! Flyctl’s instructions aren’t correct, so following the web ui was the right move. I’ve made a note of this so that we can get better instructions out to flyctl sometime soon :slightly_smiling_face:

Perfect, I only wanted to point out so you have it noted somewhere and it’s not overlooked. It worked flawless with the cname record instruction, I am really happy with how easy fly makes SSL certs