Custom Domain + TLS¶

Attach your own domain to a PaaS app — TLS certificates are auto-issued and auto-renewed via cert-manager + Let's Encrypt. No manual renewal, no certbot setup.

Prerequisites¶

A PaaS app already deployed (paas apps:list shows it)
Domain registrar access to add DNS records
A custom domain or subdomain you control (example.com or www.example.com)

Step 1 — Add the domain¶

paas domains:add www.example.com

Output:

✓ Domain www.example.com queued
  Add this DNS record to verify ownership:
    www.example.com   CNAME   ingress.runtime.di2amp.com.
  Then run: paas domains:verify www.example.com

To add multiple domains at once:

paas domains:add example.com www.example.com api.example.com

Step 2 — Configure DNS¶

Add the record at your DNS provider:

Domain type	Record	Host	Value
Subdomain	CNAME	`www`	`ingress.runtime.di2amp.com.`
Apex (root)	A	`@`	`<IP shown by paas domains>`
Apex (alt)	ALIAS / ANAME	`@`	`ingress.runtime.di2amp.com.`

For apex domains, prefer ALIAS/ANAME if your registrar supports it (Cloudflare, Route 53, DNSimple, OVH all do). Plain A records work but break if the platform IP ever changes.

Step 3 — Verify ownership¶

$ paas domains:verify www.example.com
✓ DNS resolves to PaaS ingress (51.158.x.x)
✓ cert-manager: triggered Let's Encrypt issuance
  This takes 1-5 minutes. Watch with: paas domains

cert-manager performs an HTTP-01 challenge (or DNS-01 for wildcards) and provisions the cert.

Step 4 — Check TLS status¶

$ paas domains
DOMAIN              STATUS    TLS              EXPIRES
www.example.com     active    Let's Encrypt    2026-08-02
api.example.com     pending   provisioning     —

Statuses: - pending — DNS not propagated yet - provisioning — cert-manager issuing - active — TLS live, app reachable on HTTPS - failed — see paas domains:logs www.example.com for the cert-manager error

Step 5 — Auto-renewal¶

Let's Encrypt certs are valid 90 days. cert-manager renews 30 days before expiry automatically. No action needed.

You can force a renewal:

paas domains:renew www.example.com

Wildcard domains¶

For *.example.com, use DNS-01 challenge (HTTP-01 doesn't support wildcards):

paas domains:add '*.example.com' --challenge dns-01

Then add the TXT record shown by paas domains:verify. cert-manager polls until DNS propagates.

Remove a domain¶

paas domains:rm www.example.com

The TLS cert is revoked and the cert-manager Certificate CR is deleted. The DNS record on your side is unchanged — remove it manually if no longer needed.