Today my SSL certificated expired but didn’t renew automatically. I’ve removed it and added it back and it is now fine but I’d like to avoid this in the future.
I had set up a CNAME to point to my domain to my app but I didn’t add the CNAME for the acme_verification, is it the reason why it didn’t renew?
I also saw that the CLI asked me to create a CNAME to redirect traffic to my app (cname pointing to my-app.fly.dev.), but the fly.io site says that I should create a A record pointing to fly’s IP (under the certificate view).
Which is better and what are the differences between the A record and the CNAME one for redirecting traffic? According to this post SSL Cert Expired and did not renew it affects SSL renewal.
My understanding is if you have an A/AAAA record for your domain or you have the acme-challenge CNAME, the SSL should renew by itself. As either method can be used for verification.
In which case, just a CNAME (so not using A/AAAA or the acme-challenge) would not be sufficient. If that’s correct that would explain the failure.
As regards whether an A record or CNAME is better, I believe for an apex domain (like domain.com) you need to use an A record. But for subdomains (like api.domain.com) you can use either. I guess using an A record avoids one more DNS lookup. But since the IP per app seems fixed I’m not sure there is any other benefit.