I have two apps. One of them runs at example.com, and the other one at *.example.com. As I understand for me to use Cloudflare proxy with fly’s auto certificate renewal I need to set _acme-challenge CNAME record.
This would have worked but I have example.com and *.example.com running as different apps, they require different values for _acme-challenge. I can only have one when configuring DNS (from what I know).
You are right in that if the DNS record returns a Cloudflare IP for your custom domain e.g example.com then you would need to make use of the acme challenge record, as that could be grey-cloud (non-proxied) and so would still confirm you own the domain. However you make a good point: if the acme challenge record’s value differs between apps, it can’t simultaneously be both (I’m surprised that is the case since I thought it was based on the domain … )
I wonder if you could bypass it by not using Fly’s certificates at all . Since Cloudflare’s proxy provides its own SSL certificate. So instead of using A/AAAA records, you would CNAME example.com to app-name-1.fly.dev, and then CNAME *.example.com to app-name-2.fly.dev. Both those records would be orange-cloud (proxied). Cloudflare then handles the SSL termination and renewal. For the Cloudflare → Fly bit of the connection, you can control that within Cloudflare’s SSL options (they call it strict, full etc as Fly would be the origin).
In the end I decided to use the “Flexible” setting for one of my apps, and “Full” for the other one, since I couldn’t find a manageable way to auto-renew the certs for both apps (without having to configure termination myself)