Subdomains and SSL generation

Hello, I have a couple of questions

I was wondering what is the best way to verify a domain and request its respective ssl certificate.

Adding a domain via fly cli tells us to add an A record pointing to X ip address, and this seems to work. But the certificate is never generated.

When adding a domain to get its certificate from the dashboard, it tells us to add a DNS record, but doesn’t mention which one: EJ =>

It also mentions the need to confirm ownership of the domain, once the corresponding CNAME record has been added, the status changes in the panel, however, it takes several minutes until the certificate is finally generated, still clicking on the “Check again” button . I’m asking this because you thought the certificates were generated in a few seconds and it took about 10 minutes to complete.

Also, I was wondering how I could mask the domain verification process with my own custom domain instead of flydns, this would provide a better brand image for our clients.

In our service we also offer our clients the possibility of using our domain, with a custom subdomain, the problem is that our domain registrar does not offer an api so that I can create multiple CNAME records pointing to the application, I wonder if you have servers available dns which can point and be able to have this problem covered without having to change my domain to another domain registrar, I do not know if I have explained myself well.

Thanks since now

Oh sorry we were slow to respond on this!

When you add an apex domain (like, you need to add both an A record and an AAAA record for us to generate a certificate. The AAAA record points to an IPv6 address that only your app will ever use, so it’s the safest way to verify “ownership”.

When you add a domain + subdomain (like you can use a CNAME record, which makes things simpler.

The check can take some time. Certificates are quick to generate once the DNS updates, but DNS entries can take a bit to propagate to where we can “see” them.

You can create your own custom domain to have people use for the DNS entries. Many of our customers setup, or even and tell people to make DNS entries pointing to those. It works fine!

I’m not quite following this question. If you want to support customer subdomains, your best bet is a wildcard. fly certs '*' will add a certificate that lets work on your app. You will need to do special verification for a wildcard, but your DNS provider will almost definitely let you create wildcard entries that point to your application. Does that help?

Hi Kurt! Thanks for your reply

In relation to the first case, of apex domains, there are 2 ways to verify ownership, with an AAAA record and with a subdomain

In my current domain registrar, adding an AAAA record requires a special request by email, I understand that it is a special case, so I would also like to offer my clients 2 options.

My question with the verification of the domain through the CNAME shown in the previous example is that I have not managed to replace “” with one of our own brand.

On the contrary, for a subdomain, I have been able to do it and I have a brand domain working. I only had to do what you said to point my own subdomain to “” through a CNAME record.

Is it possible to achieve the same result with an apex domain?

And in relation to the second case. I have contacted those who guard my domain to find out if I can create a wildcard subdomain or an alternative, since the problem I have is that currently, I can only create subdomains manually, for that reason I asked for an alternative using name servers.

Thank you very much again for your reply.


Oh I see! I’ll call _acme-challenge cnames “DNS verification”. If I understand right, what you’d like to do is use your own domain for DNS verification targets, like: POINTING TO

This is technically doable, but will take some work. The hostnames are all unique. You can create your own names for this, but you will have to do it for each and every one and I think that might be brittle. It’s definitely a lot of work.

In my current domain registrar, adding an AAAA record requires a special request by email, I understand that it is a special case, so I would also like to offer my clients 2 options.

This is a pain! We can reduce the strictness on your application and make certificates work when there’s only an A record, if it helps. It’s not ideal but it might by you some time to solve the problem later.

Oh this would be great! Do you need me to do something on my side?

It’s an internal setting we control. I went ahead and enabled it old-bush-7696, will you try it out and see if that helps?

I’m testing and it seems to work fine, extremely well. Thank you very much for the support and flexibility!

In doing so I have been able to realize a possible internal bug, to get to it I only had to eliminate the previous application that had a specific IP, and now, after eliminating it and trying to access it either by targeted domain or IP, the screen of Django debug, I guess it’s nothing, but warning in case you haven’t noticed.

IP to replicate it:

We do reuse IP addresses, so it’s likely someone else created an app and is running Django on that IP now!

Hello again @kurt , I have created a new app to act as a production environment, I would like to be able to activate the automatic verification also for the tolai app, the previous app is configured for the development/staging environment, so we must keep it too.

Tell me if you need any information, thank you!

All set! Will you give it a try?

It’s going great @kurt, thank you very much!

1 Like