From render
Configures custom domains and TLS certificates on Render web services and static sites: DNS setup for CNAME, apex, and wildcard domains, verification, and troubleshooting.
npx claudepluginhub render-oss/skills --plugin renderThis skill uses the workspace's default tool permissions.
Render automatically provisions and renews TLS certificates (via Let's Encrypt and Google Trust Services) for all custom domains. All HTTP traffic is redirected to HTTPS. Custom domains work on **web services** and **static sites** only.
Guides DNS configuration for custom funnel domains on Netlify, Vercel, Cloudflare Pages. Covers A/CNAME records, SSL setup, provider references, verification commands, and troubleshooting.
Configures Render web services for port binding, TLS/HTTPS, health checks, custom domains, auto-deploy, PR previews, persistent disks, and deploy lifecycle. Use for web service setup, debugging health failures, domains, zero-downtime deploys, ports.
Validates DNS records, SSL certificates, redirects, HSTS, and domain health for custom domains on hosting providers like Railway, Netlify, Vercel, Cloudflare.
Share bugs, ideas, or general feedback.
Render automatically provisions and renews TLS certificates (via Let's Encrypt and Google Trust Services) for all custom domains. All HTTP traffic is redirected to HTTPS. Custom domains work on web services and static sites only.
*.example.com)example.com) and www (www.example.com)onrender.com subdomain after adding a custom domain| Workspace tier | Custom domain limit |
|---|---|
| Hobby | 2 custom domains (across all services) |
| Professional+ | Unlimited |
app.example.com)Adding a www subdomain automatically adds the root domain (and vice versa) with a redirect between them.
Add a DNS record with your provider pointing to your Render service:
| Domain type | Record type | Name | Value |
|---|---|---|---|
Subdomain (app.example.com) | CNAME | app | <service>.onrender.com |
Apex (example.com) on Cloudflare | CNAME (flattened) | @ | <service>.onrender.com |
| Apex on other providers | A | @ | Use Render-provided IP (see Dashboard) |
Important: Remove any AAAA (IPv6) records for your domain. Render uses IPv4, and stale AAAA records cause unexpected behavior.
Provider-specific guides:
Click Verify in the Dashboard. If verification fails, DNS may not have propagated yet—wait a few minutes and retry.
Speed up verification by flushing DNS caches:
After verification, Render issues a TLS certificate automatically.
Wildcard domains (*.example.com) route all matching subdomains to one service.
Requires three CNAME records:
| Name | Value | Purpose |
|---|---|---|
* | <service>.onrender.com | Routes traffic |
_acme-challenge | <service-id>.verify.renderdns.com | Let's Encrypt validation |
_cf-custom-hostname | <service-id>.hostname.renderdns.com | Cloudflare DDoS validation |
Cloudflare users: If you add *.example.com without adding the root domain to Render, disable proxying (gray cloud) for the root domain to avoid routing conflicts.
If your domain has CAA records, add entries for Render's certificate authorities:
example.com IN CAA 0 issue "letsencrypt.org"
example.com IN CAA 0 issuewild "letsencrypt.org"
example.com IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
example.com IN CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"
Without these, TLS certificate issuance fails silently.
onrender.com SubdomainAfter adding at least one custom domain, you can disable the default onrender.com subdomain:
onrender.com URL receive a 404Custom domains are specified in the domains field:
services:
- type: web
name: api
runtime: node
plan: starter
domains:
- app.example.com
- www.example.com
Blueprint domains only declare the domain association. You still need to configure DNS with your provider manually.
| Mistake | Fix |
|---|---|
| AAAA records present | Remove all IPv6 AAAA records for the domain |
| CAA records blocking issuance | Add letsencrypt.org and pki.goog entries |
| Verifying too quickly | Wait 2-5 minutes for DNS propagation, then flush caches |
| Cloudflare proxy + wildcard without root domain | Disable proxying (gray cloud) for the root domain |
| Trying to add domain to a private service | Custom domains only work on web services and static sites |
| 502 after verification | Routing rules are updating — wait a few minutes |
| Document | Contents |
|---|---|
references/dns-configuration.md | Provider-specific DNS setup, apex domain options, TTL recommendations |
domains field in render.yaml