SSL termination error with custom domain (CNAME) and new certificate

I have an app that I imported from Heroku called “unicode-highlight”. I wish to host it on Fly using HTTPS and a CNAME from my DNS provider (Amazon Route 53).

Here is the output of fly certs check:

certs check unicode-highlight.devilcat.xyz -a uni
code-highlight
The certificate for unicode-highlight.devilcat.xyz has been issued.
Hostname                  = unicode-highlight.devilcat.xyz

DNS Provider              = aws

Certificate Authority     = Let's Encrypt

Issued                    = rsa,ecdsa

Added to App              = 1 hour ago

Source                    = fly

And the results of a curl -v:

$ curl -v https://unicode-highlight.devilcat.xyz/
*   Trying 37.16.22.82:443...
* TCP_NODELAY set
* Connected to unicode-highlight.devilcat.xyz (37.16.22.82) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to unicode-highlight.devilcat.xyz:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to unicode-highlight.devilcat.xyz:443

In Chrome, visiting https://unicode-highlight.devilcat.xyz simply results in a generic “Connection Reset” error and nothing is shown.

Here is my setup in Route 53:

Any help is greatly appreciated! I’ve looked at Custom Domains and SSL Certificates · Fly Docs about a dozen times but I can’t figure it out.

Thanks,
-Travis

Looks like a (let’s encrypt / isrg) tls cert for unicode-highlight.devilcat.xyz has been issued (via Fly or whoever) just today: crt.sh | 7438420022 (in fact, four such certs).

In Chrome, visiting https://unicode-highlight.devilcat.xyz simply results in a generic “Connection Reset” error and nothing is shown.

Can you share your fly.toml if that’s okay? It could be that the web-server isn’t listening for plaintext http1.x / plaintext http2 (aka h2c) on appropriate port (here’s a nodejs reference).

Thanks for looking into it!

I think the four certs are because I had CNAME to unicode-highlight.fly.dev as well as CNAME with the certificate authorization running at the same time maybe?

Either way, I can’t share a fly.toml file because I don’t have one: the app was imported from Heroku.

Thanks,
-Travis

Hey, just wondering - why use a CNAME in the first place?

nginxproxy.fly.dev happens to point to some app… that I’m fairly sure isn’t yours, and definitely doesn’t have a certificate for unicode-highlight.devilcat.xyz

Can you try with an A record pointing to the IPv4 address for your app instead? You can find those out with flyctl ips list.

Actually, even better. You can use a CNAME record but it needs to point to yourapp.fly.dev, not nginxproxy.fly.dev, which is the example used in the docs.

1 Like

Actually, even better. You can use a CNAME record but it needs to point to yourapp.fly.dev, not nginxproxy.fly.dev, which is the example used in the docs.

That fixed it, thanks! The example used in the docs isn’t adequately marked as an example, imo. Something like “nginxproxy” sounds like a legitimate service that Fly would operate to me.

Thanks again!
-Travis