As expected, to create a cert for domain.com and www.domain.com requires 2 validations with 2 different values:
_acme-challenge.domain.com => domain.com.9d1j.flydns.net._acme-challenge.www.domain.com => www.domain.com.9d1j.flydns.net.Regular people (non technical) don’t want to mess around with DNS records and I was wondering if there was a way to have a single validation for the root and www using Fly’s network.
(other than handling all the SSL myself)
This is an unfortunately difficult problem with DNS. The “simplest” way to handle this is to skip the DNS based acme challenge and:
www.domain.com -> <app>.fly.dev with a CNAMEdomain.com -> IP and domain.com -> IPv6 with A/AAAA recordsWe’ll validate + issue certificates automatically when you or your customers do that.
This is a big part of why we’re doing DNS hosting, it’s easier to just handle it all in many cases.
So if the A/AAAA records of the root domain point to one of your IPs you issue the cert automatically?
Would pointing CNAME www.domain.com -> <app>.pier.com -> <app>.fly.dev work?
Yep! It’s actually just the AAAA record that’s required, but there’s almost no reason people just want IPv6. This is required for apex domains, since you can’t have CNAME records for the example.com.
The CNAME for www also issues the certificate automatically. CNAMEs work great for www.example.com.
So… my customers could just add an A record to the Fly IP for the www subdomain?
Edit:
No, wait that doesn’t make sense. 
All they need for the www. subdomain is a CNAME. We’d just tell people to use CNAMEs for everything if they worked for the “apex” domain. They will (unfortunately) need to add A/AAAA records for apex domains.
Got it!
Thanks again for your help.
I created a cert for domain.com. I then added the A and AAAA records and now the cert is shown as ready.
So then I created the cert for www.domain.com. Then added a CNAME record www.domain.com -> domain.com. And now the cert shows as ready.
Is this even legal? 
Edit:
Obviously it’s “legal” from a DNS standpoint. @kurt I was wondering if I’m shooting myself in the foot as far as cert creation with Fly is concerned by doing that?
That’ll work great! It does make sense to CNAME -> apex if you’ve already setup A/AAAA records.