What's the proper way to use certs with machines?

I have an app, an ip, a verified cert, a machine, and a dns record pointing at the ip. The docker image listens on port 80, so the machine has a port 80->80 mapping. Hitting the site in my browser on port 80 works.

Opening the site with https:// fails (no response). I tried changing the service to be 443->80 and that didn’t work (as expected) - the response makes it to the server, but it’s ssl protocol not http and the server bails. So what’s the canonical way to use certs?

I assumed that the certs would be used by fly’s load balancer which I presume comes between the ip and the machine, and it would automatically listen on 443 and upstream that to machines exposing port 80, but this doesn’t appear to be the case per experiment 2.

Ah, I found the handlers parameter on the machine services port entry, and added “tls”.

Now 80 fails with ERR_EMPTY_RESPONSE and 443 fails with ERR_CONNECTION_RESET.

Ah, figured it out. After setting up the cert, ip, dns, etc you need a service on your machine with:

  • internal_port: 80 (or whatever http handler your machine has)
  • port: 443 with handler tls

The current custom domain documentation has nothing on using custom certs with machines so it would be awesome if the documentation could be extended with this info.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.