Subdomains don't work: Secure connection failed

I am hosting an application on fly.io with Namecheap as DNS provider.

I created an A record and an AAAA record on Namecheap to redirect to the IP address of the application, and everything works fine: talers.io

But then I tried to add another A record and an AAAA record for the www prefix, pointing to the same IP address, and it does not work: www.talers.io

If I check the IP address for www.talers.io, I get the right IP, so the Namecheap records are working well.

If I try to visit www.talers.io on Firefox, I get the following error:

Secure connection failed

So it seems that there is an issue with the fly proxy, SSL certificate and subdomains?

Hi,

I guess one question would be whether Fly is aware of that hostname too … have you previously added it? For example take a look at:

Only the IPv4 may be shared with other apps. If the Fly proxy sees a request arrive with a Host header e.g www.example.com to e.g 1.2.3.4, how would it know where to route that request to (which vm) ? It would need to have been told already. So you would need to have already set a cert for e.g www.your-domain.com. From what I’ve seen, Fly uses Lets Encrypt for certificates and they are not wildcard ones, they match the hostname. So it would need a certificate for www.your-domain.com too.

Assuming you do have a match on the custom domain within Fly’s system already, then I’m not sure as it should be able to match it, route the request to the correct vm, and return the already-issued cert for it (so no secure connection errors).

Hi,

I think that’s it. I indeed remember having created the certificate for the root domain:

flyctl certs create talers.io

But I should have also created a certificate for subdomains, right? Like this:

flyctl certs create "*.talers.io"

Ah, yep, that’ll be it then. You need to tell Fly about any custom domain so it can know where to route those requests. So if you only need www.talers.io, personally I’d just use that. But if you want more sub-domains, yep, you would need a wildcard cert. And make sure it’s been validated after. That should only take a few minutes but sometimes take longer.

It worked, thank you for the help!