SSL Certificate did not renew automatically


Today my SSL certificated expired but didn’t renew automatically. I’ve removed it and added it back and it is now fine but I’d like to avoid this in the future.

I had set up a CNAME to point to my domain to my app but I didn’t add the CNAME for the acme_verification, is it the reason why it didn’t renew?

I also saw that the CLI asked me to create a CNAME to redirect traffic to my app (cname pointing to, but the site says that I should create a A record pointing to fly’s IP (under the certificate view).

Which is better and what are the differences between the A record and the CNAME one for redirecting traffic? According to this post SSL Cert Expired and did not renew it affects SSL renewal.


My understanding is if you have an A/AAAA record for your domain or you have the acme-challenge CNAME, the SSL should renew by itself. As either method can be used for verification.

In which case, just a CNAME (so not using A/AAAA or the acme-challenge) would not be sufficient. If that’s correct that would explain the failure.

As regards whether an A record or CNAME is better, I believe for an apex domain (like you need to use an A record. But for subdomains (like you can use either. I guess using an A record avoids one more DNS lookup. But since the IP per app seems fixed I’m not sure there is any other benefit.

Thanks very much, that makes sense.

I have set up the acme CNAME so I should be fine for the next certificate renewal.

1 Like

Hello greg, I notice a bunch of our certificates are expiring in 20 days. Do you know by chance, when the renewal will take place? On other servers I manage, we renew our certs 30d before expiration


@Team Unfortunately I don’t know. You are right: normally certificates issued by Let’s Encrypt (being valid for 90 days) should be auto-renewed at the 30 days (or less) point. But I don’t know how Fly manages that auto-renewal or exactly when it happens.

Assuming you don’t have a contact email address (via a paid support plan) it may be worth starting a new thread to ask that. Someone from Fly should see that and get back to you.

We renew them 30 days early, but our edge caches may keep using the previous one until ~7 days before it expires. If you run fly certs show <hostname> you should see what the most up to date version we have is.


Thank you Greg and Kurt!

@kurt If I run fly certs I get some information but nothing about versions afaict

$ fly certs show
The certificate for has been issued.

Hostname                  =

DNS Provider              = aws

Certificate Authority     = Let's Encrypt

Issued                    = rsa,ecdsa

Added to App              = 4 months ago

Source                    = fly

OK, found out that the command likely should read fly certs list <domain>

That’s what we have been experiencing over the past months on all our organizations.

But recently on one of our organizations (id: x7MlK3RXyoMBxsjKj3bLyk1bLxsezm) does not seem to be renewing certificates.
We have 4 apps where their certificate will expire in 14 days (November 24, 2022).

Is this a fluke in Fly? Will it automatically be resolved 10 days before the expiration?

I just looked at your apps’ certificates and noticed most of them did not pass our check.

6 of them are missing an IPv6 pointed at us. Can you make sure to add an AAAA record for your Fly IPv6 for each of them? Normally a CNAME should work if your DNS provider does CNAME flattening.

1 Like

Thank you @jerome nicely spotted.
In a few organizations we haven’t setup IPV6. We have now added AAAA records for all the affecting certificates.

Clicking check-again and waiting around about an hour did not work. I have now also removed the _acme-challenge records.

Still one would expect the _acme-challenge CNAME records to work without DNS flattening. We had this working before, and fly managed to create certificates even without pointing A/AAAA records.

Also it would be really nice if the UI reflected this check, on our side everything is green.

Are we still missing something?

1 Like

Finally all the certificates got renewed during Sunday at 11:25am
Maybe it just takes a little to get picked up. Still, @jerome perhaps do you know what did the trick: removing the _acme-challenge records or adding IPV6 support?

I believe this one was in our end. I discovered a bug that prevented automatic renewals. I fixed it yesterday morning and we issued 2500 certs that should’ve been issued earlier!