Fly deploy: explicitly create the .fly.dev managed cert

[dougdevitre]

Why

App is fully healthy on Fly (machine running, internal health checks passing, clean logs), but the public cotrackpro-talk.fly.dev URL keeps returning:

HTTP/2 403
x-deny-reason: host_not_allowed
Host not in allowlist

This response comes from Fly's edge proxy, not the app. Fly's shared-IP edge routes by SNI/Host header — if there's no managed cert on file for the hostname, the proxy denies traffic before it ever reaches the machine. For brand-new accounts the .fly.dev auto-cert flow occasionally stalls, and the explicit fly certs create is needed to kick Let's Encrypt issuance.

Fix

Add a step between Deploy and Resume that ensures the cert exists. The step is idempotent — skips creation if the cert is already there.

Doing this via the workflow rather than the user's CLI because their local fly auth login has been failing to connect.

Test plan

• CI green
• After merge: re-run https://github.com/dougdevitre/cotrackpro-talk/actions/workflows/fly-deploy.yml
• "Ensure managed certificate" step prints either "creating cert for cotrackpro-talk.fly.dev" or "cert already exists"
• Wait ~30s after the workflow finishes for Let's Encrypt issuance
• curl -i https://cotrackpro-talk.fly.dev/health returns 200

---

Generated by Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cotrackpro-talk	Ready	Preview, Comment	May 16, 2026 8:36pm