How CDNs Generate Certificates

Fly is a content delivery network for Docker containers that uses Firecracker VMs and a global WireGuard mesh. To generate certificates, it utilizes LetsEncrypt's ACME protocol which involves domain-validated certificates based on proof of ownership. The ACME challenges include tls-http-01, tls-dns-01, and tls-sni-01, with the latter being deprecated due to security concerns related to subdomain takeover. Fly mitigates this issue by not reusing IP addresses for applications. The new ACME challenge is tls-alpn-01, which uses ALPN (Application Layer Protocol Negotiation) and is more explicit than the SNI challenge.