SSL_ERROR_ACCESS_DENIED_ALERT on new certificates.

I just issued new certificates and it took quite a bit to issue and resolve.
Visiting the page shows SSL_ERROR_ACCESS_DENIED_ALERT

Checking the status on https://www.status-ovhcloud.com/ shows outage on some parts of it but I am not sure if that is the reason.

What is the preferred config to ensure https redirection on Elixir?

If you’re keeping the *.fly.dev name (.dev TLD that is), it happens automatically.
Ref: https://community.fly.io/t/why-is-fly-dev-redirecting-to-https-automatically/

I have the CNAME set on digitalocean to my app correctly, when I access it with the digitalocean based name I get the error. Accessing via the fly.dev name works perfectly.

Not sure what could be the problem.

Could you check please if this is of any help:
https://fly.io/blog/always-be-connecting-with-https/
https://community.fly.io/t/auto-upgrade-to-https-with-a-custom-domain/
https://community.fly.io/t/custom-domain/2618/
https://community.fly.io/t/ssl-for-custom-domains-phoenix/2885/

I had gone through those threads and aligned my code with them.

I have other domains I set up using the same method yesterday and they all resolve correctly.
Not sure if it’s a config issue on my end.

flyctl certs check shows the correct information too.

What does the output of fly certs check show?

Also, what does dig cname <hostname> +short give you?

Usually when certificates aren’t being generated, it’s a DNS configuration error. We need the hostname to be pointed to your app’s IPv6 address to issue a certificate. You can check this by running:

dig aaaa <hostname> +short

And compare that to fly ips list.

The certificate for mydomain.com has been issued.
Hostname = mydomain.com

DNS Provider = digitalocean

Certificate Authority = Let’s Encrypt

Issued = ecdsa,rsa

Added to App = 2 hours ago

Source = fly

I notice that when I run dig cname hostname +short I don’t get anything back.
aaaa is giving me back a value which corresponds to the v6 value in ips list

We are going to need to see the output of dig to help with this. Please run:

dig cname <hostname> +short
dig a <hostname> +short
dig aaaa <hostname> +short

And paste the output here.

Also, please run this command and paste the output:

curl -v -D - -o /dev/null -sS https://<hostname>

Running curl -v -D - -o /dev/null -sS https://<hostname> gets me

* ALPN, offering h2
* ALPN, offering http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS alert, access denied (561):
{ [2 bytes data]
* error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
* Closing connection 0
curl: (35) error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied

I am not getting any result from dig cname despite setting the correct CNAME value shown in the certificates section.

I think I found the issue. My certificate works for http://domain and not http://www domain

Is this an Elixir config issue on the Endpoint or I need to issue a certificate for www.?

I issued certs for www.domain and now everything is working correctly.

@kurt should we update the docs to reflect this or a way to issue for www.* and non www?

Oh good catch! www.example.com and example.com are two entirely separate hostnames. Calling that out in our docs would be good, putting it in flyctl might be better: Post-create instructions for "example.com" certificate creation · Issue #736 · superfly/flyctl · GitHub