I just issued new certificates and it took quite a bit to issue and resolve.
Visiting the page shows SSL_ERROR_ACCESS_DENIED_ALERT
Checking the status on https://www.status-ovhcloud.com/ shows outage on some parts of it but I am not sure if that is the reason.
What is the preferred config to ensure https redirection on Elixir?
If you’re keeping the *.fly.dev name (.dev TLD that is), it happens automatically.
Ref: https://community.fly.io/t/why-is-fly-dev-redirecting-to-https-automatically/
I have the CNAME set on digitalocean to my app correctly, when I access it with the digitalocean based name I get the error. Accessing via the fly.dev name works perfectly.
Not sure what could be the problem.
I had gone through those threads and aligned my code with them.
I have other domains I set up using the same method yesterday and they all resolve correctly.
Not sure if it’s a config issue on my end.
flyctl certs check shows the correct information too.
What does the output of fly certs check show?
Also, what does dig cname <hostname> +short give you?
Usually when certificates aren’t being generated, it’s a DNS configuration error. We need the hostname to be pointed to your app’s IPv6 address to issue a certificate. You can check this by running:
dig aaaa <hostname> +short
And compare that to fly ips list.
The certificate for mydomain.com has been issued.
Hostname = mydomain.com
DNS Provider = digitalocean
Certificate Authority = Let’s Encrypt
Issued = ecdsa,rsa
Added to App = 2 hours ago
Source = fly
I notice that when I run dig cname hostname +short I don’t get anything back.
aaaa is giving me back a value which corresponds to the v6 value in ips list
We are going to need to see the output of dig to help with this. Please run:
dig cname <hostname> +short
dig a <hostname> +short
dig aaaa <hostname> +short
And paste the output here.
Also, please run this command and paste the output:
curl -v -D - -o /dev/null -sS https://<hostname>
Running curl -v -D - -o /dev/null -sS https://<hostname> gets me
* ALPN, offering h2
* ALPN, offering http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS alert, access denied (561):
{ [2 bytes data]
* error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
* Closing connection 0
curl: (35) error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
I am not getting any result from dig cname despite setting the correct CNAME value shown in the certificates section.
I think I found the issue. My certificate works for http://domain and not http://www domain
Is this an Elixir config issue on the Endpoint or I need to issue a certificate for www.?
I issued certs for www.domain and now everything is working correctly.
@kurt should we update the docs to reflect this or a way to issue for www.* and non www?
Oh good catch! www.example.com and example.com are two entirely separate hostnames. Calling that out in our docs would be good, putting it in flyctl might be better: Post-create instructions for "example.com" certificate creation · Issue #736 · superfly/flyctl · GitHub