Verifying a wildcard domain on cloudflare


I’m trying to setup a wildcard domain, but the verification instructions tell me to create a CNAME record to _acme-challenge…, but when I try to enter this into cloudflare DNS, it is marked as invalid. Is this an error?



Cloudflare can potentially complicate things because it can have grey-cloud (non-proxied) and orange-cloud (proxied) DNS records. And within orange-cloud DNS records are further settings, like what SSL-mode Cloudflare is set to use in order to connect to the origin (n this case, a Fly app).

Assuming the CNAME entry you added in Cloudflare has a grey-cloud next to it, is that the result of you typing fly certs '* I believe that is the command to make a wildcard certificate and should return a valid acme_challenge which you can then add to Cloudflare. If the fly command does not return that directly, you can also see the DNS entry to add in the Fly dashboard, in the app, in its certificates tab.

And that should let e.g work.

Thanks, the command displayed a valid challenge. The dashboard did not.


It’s weird, the _acme-challenge that is displayed in the dashboard is invalid, as it has two periods, so it would be _acme-challenge…, which is invalid, but the terminal command fly certs show ‘*’ it has only one period.

Additionally, in the dashboard, the verification status keeps switching between verified and unverified. The certs are also taking quite a while to generate. Any clue on why that might be?


From my experience, Cloudflare can introduce problems when you are using an orange-cloud (aka proxied) DNS entry.

Check your DNS acme challenge entry exactly matches what the CLI showed and that is a grey-cloud aka not proxied record.

If you want to use Cloudflare’s features, its WAF etc then you do need an orange-cloud (proxied) CNAME for your domain (not the acme challenge domain - that’s separate). But that may be causing the validation Fly uses for its SSL to fail. If you are just using Cloudflare for DNS-alone, then make sure that CNAME is also a grey-cloud. That will mean its requests also go straight to Fly. Not via Cloudflare.

Assuming your DNS entries are correct (e.g and are grey-cloud, this is going to be one for Fly to answer, as only they will be able to dig into the app, certs etc and see what’s happening with its innards. It’s possible there is a temporary issue with LetsEncrypt/provider too. They’ll be able to check.

@julianbuse the dashboard does indeed have a bug showing a second period for wildcard certificates. should be