The problem for you is, Fly doesn’t yet support “bring your own certs” with their application load balancer (HTTP/S load balancer). So, it does not matter if you choose to generate certs with (public) Trusted CA / (Cloudflare) Origin CA.
Unless there’s an easier way I missed, you have no choice but to terminate TLS in your Fly app using the certs you generate for your domain. How do to ‘terminate TLS’ differs from web-server to web-server. Something like Caddy has built-in support, while Apache requires a bit of configuration; where as, for reverse proxies like Nginx, HA Proxy there are plenty of tutorials to help you set it up.
Here’s how we do so with Node and Deno:
- Generate certs from zerossl.com or letsencrypt.org (Trusted CA).
- Ingest
key(private) andcrt(public) files into our Fly app throughflyctl secrets. - Read them during Node / Deno bring-up, and listen for TLS connections, and handle
TCP/HTTPfrom there, as usual.
We’ve automated steps 1 and 2 behind a github action (gh-action) to run every 2 months, but that isn’t open source because github unfortunately also makes all gh-action ‘runs’ public too, and I haven’t really looked at the logs from previous runs to see if it is safe to make it all public.