The SSL wildcard certificate is not renewing for the custom domain

Damian · January 22, 2026, 10:20am

I have been using fly.io with a custom domain and an SSL wildcard certificate since August 2025, and everything was OK until now.
I haven’t change anything when it comes to DNS, but in January, my wildcard certificate for domain “*.wormhole.tools” has expired, and I can’t renew it. It tried to remove and add it many times without any luck.

Each time I try to add it, the ‘Issued’ field is empty.

fly certs show ‘*.wormhole.tools’
Status                    = Ready
Hostname                  = *.wormhole.tools
DNS Provider              = porkbun
Certificate Authority     = Let’s Encrypt
Issued                    =
Added to App              = 2 minutes ago
Source                    = fly
✓ Your certificate has been issued!
Your DNS is correctly configured and this certificate will auto-renew before expiration.

Non-wildcard certificates work, for example:

fly certs add damian.wormhole.tools
fly certs check ‘damian.wormhole.tools’
Status                    = Ready
Hostname                  = damian.wormhole.tools
DNS Provider              = porkbun
Certificate Authority     = Let’s Encrypt
Issued                    = rsa,ecdsa
Added to App              = 55 seconds ago
Expires                   = 2 months from now
Source                    = fly
✓ Your certificate has been issued!
Your DNS is correctly configured and this certificate will auto-renew before expiration.

Could someone give me any clue how to fix this issue?

bglw · January 22, 2026, 11:29am

Hi

I believe the main issue here is that you have both TXT records and a CNAME record conflicting on the _acme-challenge subdomain. From my end, I see:

dig +short TXT _acme-challenge.wormhole.tools
"imhKYfjBagXu-X0MfPOsVy_IHg4YfUNlf56Gld0eUtc"
"uZ-_2pEs5f7HT2VsnnbQZV6iuntq76Ri6-XXdHpCcDY"

As well as:

dig +short CNAME _acme-challenge.wormhole.tools
wormhole.tools.m2q1nm1.flydns.net.

Where the latter is:

dig +short TXT wormhole.tools.m2q1nm1.flydns.net
"WMfyWyuKCPzc00vcENXKsVer7-RZeXQt5lRCp8V-Yuk"
"Z4p2bzakn7FptRZ64tTY8w9cVPMlxpwOxogDIpU_vdQ"

It’s likely a little spotty whether the first dig +short TXT returns the TXT records I see, or follows the CNAME, but it definitely looks like both our backend and Let’s Encrypt are getting the incorrect values here, which is causing the certificate issuance to fail.

Removing these TXT records should clear things out (likely after some rate limits from Let’s Encrypt roll off). You should be left only with the CNAME.

If you don’t see these in your DNS records, it’s possible that this is Porkbun’s SSL product injecting them. If so, disabling that should fix things.

Let me know which of these steps helps resolve things!

Damian · January 22, 2026, 11:55am

Thank you for your reply.

I didn’t add those TXT records on Porkbun – they may have been added automatically – but it’s still strange given that this certificate must have been renewed several times since last August. I have removed the TXT records and will see what happens.

Unfortunately, I’m currently receiving a rate limit error, so I’ll have to wait a little while longer. I’ll provide an update later.

Damian · January 22, 2026, 12:01pm

That was it, the certificate was properly generated, and now this command returns a proper response:

fly certs show ‘*.wormhole.tools’
Status                    = Ready
Hostname                  = *.wormhole.tools
DNS Provider              = porkbun
Certificate Authority     = Let’s Encrypt
Issued                    = rsa,ecdsa
Added to App              = 6 minutes ago
Expires                   = 2 months from now
Source                    = fly

✓ Your certificate has been issued!
Your DNS is correctly configured and this certificate will auto-renew before expiration.

Thank you very much for your quick and precise diagnosis

system · January 29, 2026, 12:01pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.