I am planning to use fly in my saas to allow my customers to add their custom domain.
I would like to have the cname value be my own domain.
I tried to set up a cname to point my domain to my-app.fly.dev, and then a certificate from some subdomain pointing to my domain.
The problem I am having is that this causes the certificate validation for the subdomain to not work.
Any ideas on how I could solve this?
This should work.
Can you give us an example hostname that didn’t work? I can try and find out why.
I have pointed
And then I have pointed
Any update on this? I would really like to use fly but this is a blocker for us. Thanks
Sorry it took so long, I got distracted…
Our hostname check won’t allow this one through because if we go up the chain and ask the authoritative servers, for your hostname, for CNAME, A and AAAA records, we get nothing. It seems to resolve fine from Google DNS though.
Here’s what seems to be happening:
- We lookup
custom-domain.nathanfelix.com and find that it has a CNAME to
- We lookup
domains.dev.picflow.com via its SOA (Start of Authority).
- It has none because it’s not a root domain.
- So we check if it has a public suffix. It does:
- We get the SOA of
picflow.com and we get:
- We resolve
ns-1513.awsdns-61.org to an IP.
- We also get the NS of the root domain:
- We resolve all of these to IPs and create a dns client that will use the SOA and the NS we got. Both IPv4 and IPv6 addresses
- We try to resolve either another CNAME or an A or AAAA record for
domains.dev.picflow.com using the DNS client with the servers we just found
This is all to “emulate” the process Let’s Encrypt goes through when it attempts to verify challenges. This works for almost all hostnames.
I’m not entirely sure why that’s not true for yours. It’s as if AWS is not aware of the records you’ve setup. I’m assuming you’re with AWS Route53 here.
Good news! We figured out what’s up with this one.
dev.picflow.com has a different SOA record than
picflow.com (likely because the zone is managed separately). We weren’t detecting the right authority for subdomains, so your DNS looked wrong to us. That’s fixed, now, and you should see certificates generate properly.
Thanks for the help guys! I can confirm that it works now