1st
I was wondering what is the best way to verify a domain and request its respective ssl certificate.
Adding a domain via fly cli tells us to add an A record pointing to X ip address, and this seems to work. But the certificate is never generated.
When adding a domain to get its certificate from the fly.io dashboard, it tells us to add a DNS record, but doesn’t mention which one: EJ example-domain.com => internal-app.fly.dev.
It also mentions the need to confirm ownership of the domain, once the corresponding CNAME record has been added, the status changes in the panel, however, it takes several minutes until the certificate is finally generated, still clicking on the “Check again” button . I’m asking this because you thought the certificates were generated in a few seconds and it took about 10 minutes to complete.
Also, I was wondering how I could mask the domain verification process with my own custom domain instead of flydns, this would provide a better brand image for our clients.
2nd
In our service we also offer our clients the possibility of using our domain, with a custom subdomain, the problem is that our domain registrar does not offer an api so that I can create multiple CNAME records pointing to the application, I wonder if you have servers available dns which can point and be able to have this problem covered without having to change my domain to another domain registrar, I do not know if I have explained myself well.
When you add an apex domain (like example.com), you need to add both an A record and an AAAA record for us to generate a certificate. The AAAA record points to an IPv6 address that only your app will ever use, so it’s the safest way to verify “ownership”.
When you add a domain + subdomain (like www.example.com) you can use a CNAME record, which makes things simpler.
The check can take some time. Certificates are quick to generate once the DNS updates, but DNS entries can take a bit to propagate to where we can “see” them.
You can create your own custom domain to have people use for the DNS entries. Many of our customers setup apps.example.com, or even appname.example.com and tell people to make DNS entries pointing to those. It works fine!
I’m not quite following this question. If you want to support customer subdomains, your best bet is a wildcard. fly certs '*.example.com' will add a certificate that lets anything.example.com work on your app. You will need to do special verification for a wildcard, but your DNS provider will almost definitely let you create wildcard entries that point to your application. Does that help?
In relation to the first case, of apex domains, there are 2 ways to verify ownership, with an AAAA record and with a subdomain
EX: CNAME
_acme-challenge.domain-example.com POINTING TO domain-example.com.app-name.flydns.net.
In my current domain registrar, adding an AAAA record requires a special request by email, I understand that it is a special case, so I would also like to offer my clients 2 options.
My question with the verification of the domain through the CNAME shown in the previous example is that I have not managed to replace “app-name.flydns.net” with one of our own brand.
On the contrary, for a subdomain, I have been able to do it and I have a brand domain working. I only had to do what you said to point my own subdomain to “app-name.flydns.net” through a CNAME record.
Is it possible to achieve the same result with an apex domain?
And in relation to the second case. I have contacted those who guard my domain to find out if I can create a wildcard subdomain or an alternative, since the problem I have is that currently, I can only create subdomains manually, for that reason I asked for an alternative using name servers.
Oh I see! I’ll call _acme-challenge cnames “DNS verification”. If I understand right, what you’d like to do is use your own domain for DNS verification targets, like:
_acme-challenge.domain-example.com POINTING TO domain-example.com.yourdomain.net.
This is technically doable, but will take some work. The domain-example.com.a3de3.app-name.flydns.net hostnames are all unique. You can create your own domain-example.com.a3de3.yourdomain.net names for this, but you will have to do it for each and every one and I think that might be brittle. It’s definitely a lot of work.
In my current domain registrar, adding an AAAA record requires a special request by email, I understand that it is a special case, so I would also like to offer my clients 2 options.
This is a pain! We can reduce the strictness on your application and make certificates work when there’s only an A record, if it helps. It’s not ideal but it might by you some time to solve the problem later.
I’m testing and it seems to work fine, extremely well. Thank you very much for the support and flexibility!
In doing so I have been able to realize a possible internal bug, to get to it I only had to eliminate the previous application that had a specific IP, and now, after eliminating it and trying to access it either by targeted domain or IP, the screen of Django debug, I guess it’s nothing, but warning in case you haven’t noticed.
Hello again @kurt , I have created a new app to act as a production environment, I would like to be able to activate the automatic verification also for the tolai app, the previous app is configured for the development/staging environment, so we must keep it too.