Wildcard cert stuck at awaiting certificates

Questions / Help
1

Hi,

I’m having issues with my app failing to generate a wildcard certificate. As far as I can tell, I’ve set up all the dns appropriately.

I had originally got a non-wildcard cert on there as well, but have since removed that as I was worried they were somehow interfering.

❯ fly certs check "*.stayupfront.com"
Status                    = Awaiting certificates
Hostname                  = *.stayupfront.com
DNS Provider              = porkbun
Certificate Authority     = Let's Encrypt
Issued                    =
Added to App              = 25 minutes ago
Source                    = fly

Certificate validation issues:

  Too many certificate requests for this hostname. Rate limited by Let's Encrypt until 2025-12-12 13:46:10 UTC
  Fix: Certificate creation will retry automatically after the rate limit expires
  Checked 1s ago

Your certificate for *.stayupfront.com is being issued. Status is Awaiting certificates.

Note i’ve had removed and re-added this, as I thought that might help. It has actually been trying for the last 9 hours or so, which is probably why it’s now hitting rate limits.

❯ dig +short cname _acme-challenge.stayupfront.com
stayupfront.com.kn6x1ed.flydns.net.

The acme challenge is I believe set correctly.

Screenshot 2025-12-12 at 13.44.26
Screenshot 2025-12-12 at 13.44.261920×1549 254 KB

I’m not great with DNS, so it’s entirely ~possible~ probable that I’ve gotten something wrong, but it all looks correct as far as I can see. The non-wildcard domain generated fine.

Thanks, Rob

2

Looking from here (:brazil: ) all records sound good so it might be really a rate limit that needs a bit of time to setup

❯ dig +short A _acme-challenge.stayupfront.com
stayupfront.com.kn6x1ed.flydns.net.

~
❯ dig +short A foo.stayupfront.com
66.241.124.115

~
❯ dig +short AAAA foo.stayupfront.com
2a09:8280:1::b9:80b7:0
3

It looks like you have also added multiple instances of the *.stayupfront.com certificate – you might want to remove all the extra copies as well for issuance to work properly.

The rate limit is applied from Let’s Encrypt side (for good reason), and unfortunately just recreating the certificate record on our side wouldn’t reset that external limit.

4

:waving_hand: By the way, it looks like you also have directly added some TXT records under the _acme-challenge.stayupfront.com subdomain:

dig TXT _acme-challenge.stayupfront.com

; <<>> DiG 9.20.15 <<>> TXT _acme-challenge.stayupfront.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60452
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.stayupfront.com. IN	TXT

;; ANSWER SECTION:
_acme-challenge.stayupfront.com. 537 IN	TXT	"JRsvarFfaMQ6sL3o7aZgD_8GVDiNsAsaXS8Ia5CAhxk"
_acme-challenge.stayupfront.com. 537 IN	TXT	"leDS3QLJm6YiDKuc1y87j4BVXPOeRSuLCtvgeyqoUpY"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Dec 12 10:08:42 EST 2025
;; MSG SIZE  rcvd: 172

This will conflict with the CNAME record and will unfortunately not work. You will need to remove those TXT records for certs to work on Fly. For reference, here’s what it should look like (if you dig directly the CNAME target domain):

dig TXT stayupfront.com.kn6x1ed.flydns.net

; <<>> DiG 9.20.15 <<>> TXT stayupfront.com.kn6x1ed.flydns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19846
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;stayupfront.com.kn6x1ed.flydns.net. IN	TXT

;; ANSWER SECTION:
stayupfront.com.kn6x1ed.flydns.net. 274	IN TXT	"fUPI_mpS5vDh7azj2_367IPmYpFStulTcQQZGbxfC3s"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Dec 12 10:08:39 EST 2025
;; MSG SIZE  rcvd: 119
5

Thanks both for your responses,. I’d thought those TXT records are from when I set up FastMail, but it actually looks like they might have been holdovers from the Porkbun holding page. I’ve removed them.

I’m now getting this if I dig the target name as mentioned, which nearly looks the same as you expected however the answer txt value does appear to be different, i’m not sure if that matters?

❯ dig TXT stayupfront.com.kn6x1ed.flydns.net

; <<>> DiG 9.10.6 <<>> TXT stayupfront.com.kn6x1ed.flydns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47094
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;stayupfront.com.kn6x1ed.flydns.net. IN	TXT

;; ANSWER SECTION:
stayupfront.com.kn6x1ed.flydns.net. 84 IN TXT	"c0lEQKy91a_sXQfzd_OSRXpo4ib3nZosEv045ENiY1U"

;; Query time: 31 msec
;; SERVER: 100.100.100.100#53(100.100.100.100)
;; WHEN: Fri Dec 12 15:19:09 GMT 2025
;; MSG SIZE  rcvd: 119

I believe that with the TXT records gone, this is now correct:

❯ dig TXT _acme-challenge.stayupfront.com

; <<>> DiG 9.10.6 <<>> TXT _acme-challenge.stayupfront.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48095
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.stayupfront.com. IN	TXT

;; ANSWER SECTION:
_acme-challenge.stayupfront.com. 600 IN	CNAME	stayupfront.com.kn6x1ed.flydns.net.
stayupfront.com.kn6x1ed.flydns.net. 300	IN TXT	"c0lEQKy91a_sXQfzd_OSRXpo4ib3nZosEv045ENiY1U"

;; Query time: 304 msec
;; SERVER: 100.100.100.100#53(100.100.100.100)
;; WHEN: Fri Dec 12 15:20:44 GMT 2025
;; MSG SIZE  rcvd: 164

In the time it’s taken me to triple-check this response, it looks like that has kicked it into gear – thanks again for your help!

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.