@duke Hi,
Er, Cloudflare can introduce some problems, because it sits in front of Fly. Fly isn’t expecting that. So for example when you request a certificate in Fly for e.g www.example.com, the validator comes along and sees if your domain is pointed at Fly. To prove you own it and it’s ok to issue the certificate. Except if your domain is orange-cloud (proxied), well it won’t see a response from Fly. The response will come from Cloudflare. And so the validation will fail.
So the solution is usually to create a second DNS record. An acme-challenge one. That is the other way the request can be validated. Since if you have that record (usually that is a CNAME pointed at something-here.flydns.net, or at least it used to be) and that record is grey-cloud (non-proxied), well that will return a response from Fly. Validation passed and certificate issued. All good. So your public domain (www.example.com) is proxied by Cloudflare. It’s just the acme-challenge domain’s DNS record that isn’t. Which is fine as nobody apart from Fly will use that.
If that hasn’t helped, @eli is generally great with this. I’d also recommend reading this thread. Lots of people discussing their efforts using Cloudflare in front of Fly, and what they found worked. Likely you’ll find the answer somewhere in here: