Moving cert from one project to another

Hi there,

How will I go about moving a cert from project A to project B?

I have two CNAMEs currently on another DNS provider. One subdomain CNAME points to, the second subdomain CNAME points to I want to modify the second domain CNAME to point to How will I then go about moving the cert from the to app?

Is it just a matter of deleting the cert on and asking for a new one on with: flyctl certs add Or is there a better process to ensure that we don’t run into a invalid/mis-configured cert issue?


You don’t have to delete the first cert before adding the second one. I’m sure the old one wouldn’t renew after you make the change, but for a Let’s Encrypt cert that will only be every couple of months. I’ve just been adding the new cert, finishing up whatever other transfers I need to do, then removing the old cert or deleing the old project.

@bekit thanks! And that works without downtime? :slight_smile:

Depends on how you do it :slight_smile:

You should be able to go in this order and get no downtime:

  1. Spin up your new fly application and make sure your service is running properly there
  2. Add the certificate through the fly cli or web front end
  3. Follow the instructions on approving the certificate with DNS records (a CNAME record for acme validation). These steps are documented here: Configuring certificates before accepting traffic · Fly
  4. Verify that the cert shows as ready under flyctl certs list
  5. Finally, switch your DNS entries to point to the new app’s IP (or using a CNAME record to

As with any DNS change, you’ll have folks hitting both services for a while until caches expire, but that should allow for no downtime.

Ahh thanks!

If I were to just change the DNS entries’ CNAME to point to the new address and skip the whole ACME setup, will DNS resolutions to the old (while DNS propagation takes affect) cause an SSL error?

You’ll get SSL errors while you wait for the new certificate. That’s not an issue for new apps, but doing ACME validation first lets the certificate get issued before you start sending traffic to the new host.

Thanks for the clarification! That makes perfect sense. :smiley: