Hey, we just received a few emails about our domains failing certificate renewal. Error shows An IPv6 address pointed at us is required.
Strange part is that these apps have been live for two years without issue, everything in the fly.io dashboard > Certificates is green for each domain, even when I hit “Check again”. This includes the _acme-challenge verification as well (we do proxy through Cloudflare).
Sudden error after all this time makes me wonder if there’s a small bug happening on the fly.io side, but asking in case there’s something I’m missing.
In my case, lack of an IPv6 is intentional. In fact the subject FQDN is v4.<mydomain.tld> to enforce IPv4 only connections to this connectivity diagnostics app. Adding an AAAA record for this subdomain will invalidate its core purpose.
I also received a few emails that say the same thing. One of my domains is behind Cloudflare, and the other is not. My dashboard says everything is fine, .
sorry folks, we disabled these emails now - looks like the code for them didn’t properly check DNS challenges, or that the certificate was actually expiring.
Fyi, I reached out to support and got this response:
Notifying when a certificate fails to renew is a frequent request from users - so we went ahead and added that functionality which was rolled out today. As you probably noticed, the notifications could use some tweaking. We’ll likely switch the notifications off and take a bit of time to refine how they work.
If possible, I recommend verifying the reported certificates in your Fly.io dashboard to confirm they were correctly renewed, since if the notification email was sent, it means our system did attempt a certificate renewal and it may have failed. If things look OK there, it’s safe to ignore the notifications.
we use letsencrypt for TLS certificates. their certificates have 90 days validity duration, and I believe they are planning to shorten that to 45 days but cannot find documentation on that at the moment.
.