We noticed that we were unable to get an SSL cert issued when Cloudflare proxies traffic to our fly.io app instance. However, if we turn the proxy off, the cert gets issued successfully. I’m curious to know how this would affect the cert renewal process. Would we have to manually renew certs with Let’s Encrypt?
You are right - using their proxy means the certificate won’t be issued and/or won’t be renewed. Since the DNS returned value will be Cloudflare’s, not Fly’s, and so fail the validation. Hence why it does work when the proxy is off (grey cloud). Since then the returned value is Fly’s.
So your choice would either be to turn off the proxy (grey cloud) or if you need their WAF etc and so need to keep it (orange cloud) you would need to add another DNS record: the acme challenge. You should be able to get that in the Fly dashboard. As long as that record is not proxied, the certificate should validate and so renew.