Today my SSL certificated expired but didn’t renew automatically. I’ve removed it and added it back and it is now fine but I’d like to avoid this in the future.
I had set up a CNAME to point to my domain to my app but I didn’t add the CNAME for the acme_verification, is it the reason why it didn’t renew?
I also saw that the CLI asked me to create a CNAME to redirect traffic to my app (cname pointing to my-app.fly.dev.), but the fly.io site says that I should create a A record pointing to fly’s IP (under the certificate view).
Which is better and what are the differences between the A record and the CNAME one for redirecting traffic? According to this post SSL Cert Expired and did not renew it affects SSL renewal.
My understanding is if you have an A/AAAA record for your domain or you have the acme-challenge CNAME, the SSL should renew by itself. As either method can be used for verification.
In which case, just a CNAME (so not using A/AAAA or the acme-challenge) would not be sufficient. If that’s correct that would explain the failure.
As regards whether an A record or CNAME is better, I believe for an apex domain (like domain.com) you need to use an A record. But for subdomains (like api.domain.com) you can use either. I guess using an A record avoids one more DNS lookup. But since the IP per app seems fixed I’m not sure there is any other benefit.
Hello greg, I notice a bunch of our certificates are expiring in 20 days. Do you know by chance, when the renewal will take place? On other servers I manage, we renew our certs 30d before expiration
@Team Unfortunately I don’t know. You are right: normally certificates issued by Let’s Encrypt (being valid for 90 days) should be auto-renewed at the 30 days (or less) point. But I don’t know how Fly manages that auto-renewal or exactly when it happens.
Assuming you don’t have a contact email address (via a paid support plan) it may be worth starting a new thread to ask that. Someone from Fly should see that and get back to you.
We renew them 30 days early, but our edge caches may keep using the previous one until ~7 days before it expires. If you run fly certs show <hostname> you should see what the most up to date version we have is.
@kurt If I run fly certs www.indianflirt.in I get some information but nothing about versions afaict
$ fly certs show www.indianflirt.in
The certificate for www.indianflirt.in has been issued.
Hostname = www.indianflirt.in
DNS Provider = aws
Certificate Authority = Let's Encrypt
Issued = rsa,ecdsa
Added to App = 4 months ago
Source = fly
That’s what we have been experiencing over the past months on all our organizations.
But recently on one of our organizations (id: x7MlK3RXyoMBxsjKj3bLyk1bLxsezm) does not seem to be renewing certificates.
We have 4 apps where their certificate will expire in 14 days (November 24, 2022).
Is this a fluke in Fly? Will it automatically be resolved 10 days before the expiration?
I just looked at your apps’ certificates and noticed most of them did not pass our check.
6 of them are missing an IPv6 pointed at us. Can you make sure to add an AAAA record for your Fly IPv6 for each of them? Normally a CNAME should work if your DNS provider does CNAME flattening.
Thank you @jerome nicely spotted.
In a few organizations we haven’t setup IPV6. We have now added AAAA records for all the affecting certificates.
Clicking check-again and waiting around about an hour did not work. I have now also removed the _acme-challenge records.
Still one would expect the _acme-challenge CNAME records to work without DNS flattening. We had this working before, and fly managed to create certificates even without pointing A/AAAA records.
Also it would be really nice if the UI reflected this check, on our side everything is green.
Finally all the certificates got renewed during Sunday at 11:25am
Maybe it just takes a little to get picked up. Still, @jerome perhaps do you know what did the trick: removing the _acme-challenge records or adding IPV6 support?
I believe this one was in our end. I discovered a bug that prevented automatic renewals. I fixed it yesterday morning and we issued 2500 certs that should’ve been issued earlier!
Thx for the reply, I went and deleted the expired certs and recreated them to get my app accessible.
I’m using Cloudflare Proxy, CNAME => <app>.fly.dev. I’m not sure if I needed to do anything to get it to autorenew.
I created those certs 3 months ago and the “Verified” status was never green but the certs still worked. When I recreated them now, it’s green (Verified)… I’m not sure if that had anything to do with it.
BTW, I had 2 apps fail to renew when it expired on 9/10
Cloudflare proxying won’t work for the “easy” way to automatically renew certificates. You’ll need to add a DNS record for that to work.
I’m not sure how the certs were created this time or the last because when can’t detect our own IPs or don’t control the TLS handshake, then we won’t go ahead with let’s encrypt’s challenge verification.
