Using my own CNAME value

I am planning to use fly in my saas to allow my customers to add their custom domain.

I would like to have the cname value be my own domain.

I tried to set up a cname to point my domain to, and then a certificate from some subdomain pointing to my domain.

The problem I am having is that this causes the certificate validation for the subdomain to not work.

Any ideas on how I could solve this?

This should work.

Can you give us an example hostname that didn’t work? I can try and find out why.

Yeah sure.

I have pointed to

And then I have pointed to

Any update on this? I would really like to use fly but this is a blocker for us. Thanks

Sorry it took so long, I got distracted… :confused:

Our hostname check won’t allow this one through because if we go up the chain and ask the authoritative servers, for your hostname, for CNAME, A and AAAA records, we get nothing. It seems to resolve fine from Google DNS though.

Here’s what seems to be happening:

  • We lookup and find that it has a CNAME to
  • We lookup via its SOA (Start of Authority).
    • It has none because it’s not a root domain.
    • So we check if it has a public suffix. It does:
    • We get the SOA of and we get:
    • We resolve to an IP.
    • We also get the NS of the root domain:
    • We resolve all of these to IPs and create a dns client that will use the SOA and the NS we got. Both IPv4 and IPv6 addresses
    • We try to resolve either another CNAME or an A or AAAA record for using the DNS client with the servers we just found
      • We get nothing for it.

This is all to “emulate” the process Let’s Encrypt goes through when it attempts to verify challenges. This works for almost all hostnames.

I’m not entirely sure why that’s not true for yours. It’s as if AWS is not aware of the records you’ve setup. I’m assuming you’re with AWS Route53 here.

Good news! We figured out what’s up with this one. has a different SOA record than (likely because the zone is managed separately). We weren’t detecting the right authority for subdomains, so your DNS looked wrong to us. That’s fixed, now, and you should see certificates generate properly.

1 Like

Thanks for the help guys! I can confirm that it works now