In order to use Cloudflare SSL full, you need to install a cert, for subdomains, wildcard certs, on the fly app. However, this is much harder than just clicking a button.
Ploi (server management) can request a wildcard cert from Cloudflare and install with your cloudflare api details. That way there’s no need to deal with domain verification. Only A/AAAA records
Can fly.io do the same?
In order to use Cloudflare SSL full, you need to install a cert, for subdomains, wildcard certs, on the fly app. However, this is much harder than just clicking a button.
Concur.
For Fly to support BYO certificates shouldn’t be hard given they already have the (pki) infrastructure setup. May be they should open it up, presumably via flyctl, for private CAs even if not for public CAs. I don’t know how hard (raw tcp) or easy (http) it is.
cc: @kurt
Haven’t spent a lot of time looking it up… if parts of Ploi are open source, you could check if the part that does this is open source.
And use it for “inspiration”.
We have an unsupported API mutation for importing a certificate you might be able to use: GraphQL Playground
The caveats to using this are: getting certs in the right format is tricky, so it’ll take some experimentation. We also stop serving certificates after they expire so you need to make sure you keep it renewed.
You don’t necessarily need a wildcard certificate. For the „Full“ mode, any (even invalid) certificates work.
For the „Full (Strict)“ mode, you need a valid certificate. This can be an up to 15 years long valid Cloudflare Origin certificate (assuming you use the proxies mode and you can download them in your CF dashboard) or regular valid certificates will work too.
For both, there is no wildcard requirement. For „Full (Strict)“, you just need one that matches the requested domain or subdomain (e.g. www.example.com).
So Fly‘s certificates should work fine (again, both wildcard and single-domain ones)
