SSL Certificate did not renew automatically


Today my SSL certificated expired but didn’t renew automatically. I’ve removed it and added it back and it is now fine but I’d like to avoid this in the future.

I had set up a CNAME to point to my domain to my app but I didn’t add the CNAME for the acme_verification, is it the reason why it didn’t renew?

I also saw that the CLI asked me to create a CNAME to redirect traffic to my app (cname pointing to, but the site says that I should create a A record pointing to fly’s IP (under the certificate view).

Which is better and what are the differences between the A record and the CNAME one for redirecting traffic? According to this post SSL Cert Expired and did not renew it affects SSL renewal.


My understanding is if you have an A/AAAA record for your domain or you have the acme-challenge CNAME, the SSL should renew by itself. As either method can be used for verification.

In which case, just a CNAME (so not using A/AAAA or the acme-challenge) would not be sufficient. If that’s correct that would explain the failure.

As regards whether an A record or CNAME is better, I believe for an apex domain (like you need to use an A record. But for subdomains (like you can use either. I guess using an A record avoids one more DNS lookup. But since the IP per app seems fixed I’m not sure there is any other benefit.

Thanks very much, that makes sense.

I have set up the acme CNAME so I should be fine for the next certificate renewal.

1 Like