You could save it in secrets and then get it in and out of your app with the necessary code for it.
Secrets are made available via env variables to the app.
There’s likely a size limit for any given secret, in the order of a few kilobyes or so.
At least that’s what I remember reading a few days ago.
Ref: How are you managing cert files with Fly?
I don’t think Cloudflare lets you download private keys of the certs they generate to also use it with your other deployments.
What Cloudflare lets you do (on Enterprise plans?) is upload your own public (private certs don’t require Enterprise plan, iirc) certs generated elsewhere (with services like letsencrypt.org, zerossl.com etc). With Fly, you can use your own certs, but then you’d have to do TLS termination yourself (that is, handle raw tcp and udp; that is, you won’t be able to use Fly’s HTTP load balancer to front your service).
Looked around a bit and found that CF allows you to take the private key only when you’re creating them, and not later… as the private key is not stored.
Copy the signed Origin Certificate and Private Key into separate files. For security reasons, you cannot see the Private Key after you exit this screen.
Thread about getting private key out during creation, with an answer from someone at CF:
“Origin Certs” are not public certs, though, right? Then OP’s question really is (which you answered): “How to use Fly.io as an origin server with Cloudflare Origin CA”…? which I misunderstood as “How to use same certs as Cloudflare does for my domain proxied through it”.
First of all, I am not a good server guy. Maybe me myself already misunderstood the whole infrastructure of the cert things. hehe
I think what I am looking for is “How to use Fly.io as an origin server with Cloudflare Origin CA”…?
My problems
Let me put it this way, My domain name is hosted in Cloudflare Registrar, and I use DNS to point to fly.io for custom domain purpose (app in fly.io). Since I would like to use Cloudflare provided SSL, I need to enable the “proxy” for the domain name. (I guess, with proxy enabled, the https will be handled by cloudflare first)
when i use cloudflare SSL with the custom domain at fly.io, fly.io says the custom domain not verified once I enable the “proxy” again. fyi, I already added the custom domain to fly.io successfully because previously I disable the “proxy”, so fly.io can verify it.
Expectations
I wanna use Full (Strict) SSL cert provided by Cloudflare which requires a trusted CA or Cloudflare Origin CA certificate on the server.
Since I wanna use cloudflare provided cert, I think there must be a way for me to input something like secrets or key into fly.io. so fly.io (as a webserver) can regconize the https.
But
I totally have no idea how to do it, 50% have no idea how to ask it
The problem for you is, Fly doesn’t yet support “bring your own certs” with their application load balancer (HTTP/S load balancer). So, it does not matter if you choose to generate certs with (public) Trusted CA / (Cloudflare) Origin CA.
Unless there’s an easier way I missed, you have no choice but to terminate TLS in your Fly app using the certs you generate for your domain. How do to ‘terminate TLS’ differs from web-server to web-server. Something like Caddy has built-in support, while Apache requires a bit of configuration; where as, for reverse proxies like Nginx, HA Proxy there are plenty of tutorials to help you set it up.
Read them during Node / Deno bring-up, and listen for TLS connections, and handle TCP / HTTP from there, as usual.
We’ve automated steps 1 and 2 behind a github action (gh-action) to run every 2 months, but that isn’t open source because github unfortunately also makes all gh-action ‘runs’ public too, and I haven’t really looked at the logs from previous runs to see if it is safe to make it all public.
Thanks for the awesome explanation and I think I will stay with fly.io generated Let’s Encrypt cert.
One thing
Just curious about SSL things. Let’s say I use cloudflare SSL and flyio’s side couldn’t verify the domain name. In this situation, the connection is still secured? The website is still accessible via https
Finally
I need time to digest the “terminate TLS” but thanks a lot!!
Let’s say I use cloudflare SSL and flyio’s side couldn’t verify the domain name. In this situation, the connection is still secured? The website is still accessible via https
The connection between a client and Cloudflare’s reverse proxies is “secure” (over HTTPS). The connection between Cloudflare’s reverse proxies and your origin on Fly wouldn’t be (unless you set up “Origin CA” / “Trusted CA”).
Hah, not at all. Thanks to @ignoramous, @pier, and others in general who have tried the same thing before and shared their lessons learnt. I’m just a concierge.