Use Cloudflare Certs to FlyIO

Is there anyway to set certs if the origin certs was generated via cloudflare?

Extra explanaiton

Maybe the way I say it isn’t clear enough, coz I am new to these Certs things. Here’s what I gonna do:

  • Cloudflare > SSL/TLS > Origin Server > Create certs (RSA/ECC)
  • I would like to upload the certs private/public key to fly.io just like how netlify do it with the custom domains.
  • how? coz i couldn’t find the place to input such things

Hello,

You could save it in secrets and then get it in and out of your app with the necessary code for it.
Secrets are made available via env variables to the app.
There’s likely a size limit for any given secret, in the order of a few kilobyes or so.
At least that’s what I remember reading a few days ago.
Ref: How are you managing cert files with Fly?

You could put it into volumes as well.
Ref: Where to store CockroachCloud CA certificate? - #2 by jerome

I don’t think Cloudflare lets you download private keys of the certs they generate to also use it with your other deployments.

What Cloudflare lets you do (on Enterprise plans?) is upload your own public (private certs don’t require Enterprise plan, iirc) certs generated elsewhere (with services like letsencrypt.org, zerossl.com etc). With Fly, you can use your own certs, but then you’d have to do TLS termination yourself (that is, handle raw tcp and udp; that is, you won’t be able to use Fly’s HTTP load balancer to front your service).

Hey, thanks for making me dig more :stuck_out_tongue:

Looked around a bit and found that CF allows you to take the private key only when you’re creating them, and not later… as the private key is not stored.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca#1-create-an-origin-ca-certificate

Step 10 says:

Copy the signed Origin Certificate and Private Key into separate files. For security reasons, you cannot see the Private Key after you exit this screen.

Thread about getting private key out during creation, with an answer from someone at CF:

1 Like

“Origin Certs” are not public certs, though, right? Then OP’s question really is (which you answered): “How to use Fly.io as an origin server with Cloudflare Origin CA”…? which I misunderstood as “How to use same certs as Cloudflare does for my domain proxied through it”.

No worries, I could still be wrong.
We’ll find out soon anyway.

Your response is faster than my server. :innocent:

Thanks @FrequentFlyer and @ignoramous

First of all, I am not a good server guy. Maybe me myself already misunderstood the whole infrastructure of the cert things. hehe

I think what I am looking for is “How to use Fly.io as an origin server with Cloudflare Origin CA”…?

My problems

Let me put it this way, My domain name is hosted in Cloudflare Registrar, and I use DNS to point to fly.io for custom domain purpose (app in fly.io). Since I would like to use Cloudflare provided SSL, I need to enable the “proxy” for the domain name. (I guess, with proxy enabled, the https will be handled by cloudflare first)

when i use cloudflare SSL with the custom domain at fly.io, fly.io says the custom domain not verified once I enable the “proxy” again. fyi, I already added the custom domain to fly.io successfully because previously I disable the “proxy”, so fly.io can verify it.

Expectations

2022-01-26 20_18_06-Overview _ SSL_TLS

I wanna use Full (Strict) SSL cert provided by Cloudflare which requires a trusted CA or Cloudflare Origin CA certificate on the server.

Since I wanna use cloudflare provided cert, I think there must be a way for me to input something like secrets or key into fly.io. so fly.io (as a webserver) can regconize the https.

But

I totally have no idea how to do it, 50% have no idea how to ask it :grin:

Finally

Does this explanation clearer for you?

The problem for you is, Fly doesn’t yet support “bring your own certs” with their application load balancer (HTTP/S load balancer). So, it does not matter if you choose to generate certs with (public) Trusted CA / (Cloudflare) Origin CA.

Unless there’s an easier way I missed, you have no choice but to terminate TLS in your Fly app using the certs you generate for your domain. How do to ‘terminate TLS’ differs from web-server to web-server. Something like Caddy has built-in support, while Apache requires a bit of configuration; where as, for reverse proxies like Nginx, HA Proxy there are plenty of tutorials to help you set it up.

Here’s how we do so with Node and Deno:

  1. Generate certs from zerossl.com or letsencrypt.org (Trusted CA).
  2. Ingest key (private) and crt (public) files into our Fly app through flyctl secrets.
  3. Read them during Node / Deno bring-up, and listen for TLS connections, and handle TCP / HTTP from there, as usual.

We’ve automated steps 1 and 2 behind a github action (gh-action) to run every 2 months, but that isn’t open source because github unfortunately also makes all gh-action ‘runs’ public too, and I haven’t really looked at the logs from previous runs to see if it is safe to make it all public.

1 Like

Ahh. That’s beyond my skill :grin: .

Thanks for the awesome explanation and I think I will stay with fly.io generated Let’s Encrypt cert.

One thing

Just curious about SSL things. Let’s say I use cloudflare SSL and flyio’s side couldn’t verify the domain name. In this situation, the connection is still secured? The website is still accessible via https

Finally

I need time to digest the “terminate TLS” but thanks a lot!!

Let’s say I use cloudflare SSL and flyio’s side couldn’t verify the domain name. In this situation, the connection is still secured? The website is still accessible via https

The connection between a client and Cloudflare’s reverse proxies is “secure” (over HTTPS). The connection between Cloudflare’s reverse proxies and your origin on Fly wouldn’t be (unless you set up “Origin CA” / “Trusted CA”).

Btw, the Cloudflare documentation is pretty well written: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes#flexible

1 Like

@Loonb This should help:

2 Likes

I see, now i get the whole view. Thanks :gift_heart:

Thanks. You should change your name to FrequentSolver. :star_struck:

Hah, not at all. Thanks to @ignoramous, @pier, and others in general who have tried the same thing before and shared their lessons learnt. I’m just a concierge.

2 Likes