Hi!
I’m trying to setup a wildcard domain, but the verification instructions tell me to create a CNAME record to _acme-challenge…twelvepool.com, but when I try to enter this into cloudflare DNS, it is marked as invalid. Is this an error?
Thanks
Hi,
Cloudflare can potentially complicate things because it can have grey-cloud (non-proxied) and orange-cloud (proxied) DNS records. And within orange-cloud DNS records are further settings, like what SSL-mode Cloudflare is set to use in order to connect to the origin (n this case, a Fly app).
Assuming the CNAME entry you added in Cloudflare has a grey-cloud next to it, is that the result of you typing fly certs '*.example.com? I believe that is the command to make a wildcard certificate and should return a valid acme_challenge which you can then add to Cloudflare. If the fly command does not return that directly, you can also see the DNS entry to add in the Fly dashboard, in the app, in its certificates tab.
And that should let e.g xyz.example.com work.
1 Like
Thanks, the command displayed a valid challenge. The dashboard did not.
2 Likes
It’s weird, the _acme-challenge that is displayed in the dashboard is invalid, as it has two periods, so it would be _acme-challenge…domain.com, which is invalid, but the terminal command fly certs show ‘*.domain.com’ it has only one period.
Additionally, in the dashboard, the verification status keeps switching between verified and unverified. The certs are also taking quite a while to generate. Any clue on why that might be?
Strange.
From my experience, Cloudflare can introduce problems when you are using an orange-cloud (aka proxied) DNS entry.
Check your DNS acme challenge entry exactly matches what the CLI showed and that is a grey-cloud aka not proxied record.
If you want to use Cloudflare’s features, its WAF etc then you do need an orange-cloud (proxied) CNAME for your domain (not the acme challenge domain - that’s separate). But that may be causing the validation Fly uses for its SSL to fail. If you are just using Cloudflare for DNS-alone, then make sure that CNAME is also a grey-cloud. That will mean its requests also go straight to Fly. Not via Cloudflare.
Assuming your DNS entries are correct (e.g https://www.whatsmydns.net/) and are grey-cloud, this is going to be one for Fly to answer, as only they will be able to dig into the app, certs etc and see what’s happening with its innards. It’s possible there is a temporary issue with LetsEncrypt/provider too. They’ll be able to check.
@julianbuse the dashboard does indeed have a bug showing a second period for wildcard certificates.
_acme-challenge..domain.com should be _acme-challenge.domain.com
Hey @greg , am trying used cloudflare (proxied) but when i turned on the proxied the site cant be reached.
And it also complaining about _acme-challenge.domain.com
How can i set it up ( what do i need to do).
Thanks
@duke Hi,
Er, Cloudflare can introduce some problems, because it sits in front of Fly. Fly isn’t expecting that. So for example when you request a certificate in Fly for e.g www.example.com, the validator comes along and sees if your domain is pointed at Fly. To prove you own it and it’s ok to issue the certificate. Except if your domain is orange-cloud (proxied), well it won’t see a response from Fly. The response will come from Cloudflare. And so the validation will fail.
So the solution is usually to create a second DNS record. An acme-challenge one. That is the other way the request can be validated. Since if you have that record (usually that is a CNAME pointed at something-here.flydns.net, or at least it used to be) and that record is grey-cloud (non-proxied), well that will return a response from Fly. Validation passed and certificate issued. All good. So your public domain (www.example.com) is proxied by Cloudflare. It’s just the acme-challenge domain’s DNS record that isn’t. Which is fine as nobody apart from Fly will use that.
If that hasn’t helped, @eli is generally great with this. I’d also recommend reading this thread. Lots of people discussing their efforts using Cloudflare in front of Fly, and what they found worked. Likely you’ll find the answer somewhere in here:
1 Like
Thanks @greg for your detailed answer, currently is working but what i did is that in Cloudflare i set SSL/TLS to Full.
1 Like