I have check the record are matched, and fly cli show me that it’s waiting
The certificate for *.** has not been issued yet.
Hostname = *.**
DNS Provider = cloudflare
Certificate Authority = Let's Encrypt
Issued =
Added to App = 4 days ago
Source = fly
You are creating a wildcard certificate for *.**
We are using lets_encrypt for this certificate.
the first one is working as expected
Host Name Added Status
*.domainA 4 days ago Ready
*.domainB. 4 days ago Awaiting certificates
unfortunately, cloudflare is clobbering the acme-challenge record. there’s a note in our docs about this: Custom domains · Fly Docs
If you’re using Cloudflare, you might be using their Universal SSL feature which inserts a TXT record of _acme_challenge.<YOUR_DOMAIN> for your domain. This can interfere with our certificate validation/challenge and you should disable this feature.
You can then verify that the change has propagated and the TXT record is no longer present by running dig txt _acme-challenge.<YOUR_DOMAIN> +short.
Thanks so much, I have verified the txt record, it’s resolved to fly.io now.
may I ask more that since Cloudflare is now a famous DNS provider and its default setting would break the wildcard certs, why not add this notice to the fly cli output?
I can see there is a dns check on fly cli when running fly certs check, it shows the two record is set after i update my dns record. but like you said, the dns record is broken by Cloudflare auto TLS, so the updated notice would be confusing.