SSL renewal when using Cloudflare Proxy

This is closely related to this:
Unable to get SSL cert issued with Cloudflare proxy - Questions / Help - Fly.io

I have two apps. One of them runs at example.com, and the other one at *.example.com. As I understand for me to use Cloudflare proxy with fly’s auto certificate renewal I need to set _acme-challenge CNAME record.

This would have worked but I have example.com and *.example.com running as different apps, they require different values for _acme-challenge. I can only have one when configuring DNS (from what I know).

What’s a work-around in this case?

1 Like

Hi,

You are right in that if the DNS record returns a Cloudflare IP for your custom domain e.g example.com then you would need to make use of the acme challenge record, as that could be grey-cloud (non-proxied) and so would still confirm you own the domain. However you make a good point: if the acme challenge record’s value differs between apps, it can’t simultaneously be both (I’m surprised that is the case since I thought it was based on the domain … :thinking:)

I wonder if you could bypass it by not using Fly’s certificates at all :thinking:. Since Cloudflare’s proxy provides its own SSL certificate. So instead of using A/AAAA records, you would CNAME example.com to app-name-1.fly.dev, and then CNAME *.example.com to app-name-2.fly.dev. Both those records would be orange-cloud (proxied). Cloudflare then handles the SSL termination and renewal. For the Cloudflare → Fly bit of the connection, you can control that within Cloudflare’s SSL options (they call it strict, full etc as Fly would be the origin).

You could terminate the TLS from your app and use an origin certificate from the CF dashboard, allowing you to use full(strict)

Thanks for the advice everyone.

In the end I decided to use the “Flexible” setting for one of my apps, and “Full” for the other one, since I couldn’t find a manageable way to auto-renew the certs for both apps (without having to configure termination myself)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.