Today my SSL certificated expired but didn’t renew automatically. I’ve removed it and added it back and it is now fine but I’d like to avoid this in the future.
I had set up a CNAME to point to my domain to my app but I didn’t add the CNAME for the acme_verification, is it the reason why it didn’t renew?
I also saw that the CLI asked me to create a CNAME to redirect traffic to my app (cname pointing to my-app.fly.dev.), but the fly.io site says that I should create a A record pointing to fly’s IP (under the certificate view).
Which is better and what are the differences between the A record and the CNAME one for redirecting traffic? According to this post SSL Cert Expired and did not renew it affects SSL renewal.
My understanding is if you have an A/AAAA record for your domain or you have the acme-challenge CNAME, the SSL should renew by itself. As either method can be used for verification.
In which case, just a CNAME (so not using A/AAAA or the acme-challenge) would not be sufficient. If that’s correct that would explain the failure.
As regards whether an A record or CNAME is better, I believe for an apex domain (like domain.com) you need to use an A record. But for subdomains (like api.domain.com) you can use either. I guess using an A record avoids one more DNS lookup. But since the IP per app seems fixed I’m not sure there is any other benefit.
@Team Unfortunately I don’t know. You are right: normally certificates issued by Let’s Encrypt (being valid for 90 days) should be auto-renewed at the 30 days (or less) point. But I don’t know how Fly manages that auto-renewal or exactly when it happens.
Assuming you don’t have a contact email address (via a paid support plan) it may be worth starting a new thread to ask that. Someone from Fly should see that and get back to you.
We renew them 30 days early, but our edge caches may keep using the previous one until ~7 days before it expires. If you run fly certs show <hostname> you should see what the most up to date version we have is.
@kurt If I run fly certs www.indianflirt.in I get some information but nothing about versions afaict
$ fly certs show www.indianflirt.in
The certificate for www.indianflirt.in has been issued.
Hostname = www.indianflirt.in
DNS Provider = aws
Certificate Authority = Let's Encrypt
Issued = rsa,ecdsa
Added to App = 4 months ago
Source = fly
That’s what we have been experiencing over the past months on all our organizations.
But recently on one of our organizations (id: x7MlK3RXyoMBxsjKj3bLyk1bLxsezm) does not seem to be renewing certificates.
We have 4 apps where their certificate will expire in 14 days (November 24, 2022).
Is this a fluke in Fly? Will it automatically be resolved 10 days before the expiration?
Finally all the certificates got renewed during Sunday at 11:25am
Maybe it just takes a little to get picked up. Still, @jerome perhaps do you know what did the trick: removing the _acme-challenge records or adding IPV6 support?