ContextQMD
Back to Denoland

Domains

deploy/reference/domains.md

latest6.4 KB
Original Source

Every organization has a default domain used for all applications deployed within that organization. For example, an organization with the slug acme-inc would have a default domain of acme-inc.deno.net. An application named my-app would automatically receive the production domain my-app.acme-inc.deno.net.

In addition to these default domains, you can add custom domains to your applications. Custom domains are domains that you own and control. To use a custom domain, you must:

  1. Own the domain (purchased from a domain registrar)
  2. Have access to edit its DNS records

Custom domains belong to an organization and can be attached to any application within that organization.

A custom domain can be added as:

  • A base domain (e.g., example.com or a specific subdomain)
  • A wildcard domain (e.g., *.example.com)

A base domain works with a single application, while a wildcard domain offers more flexibility. You can either:

  • Assign the entire wildcard to one application (all subdomains point to the same app)
  • Partially assign it to multiple applications (different subdomains point to different apps)

All custom domains require valid TLS certificates. Deno Deploy can automatically provision these certificates using Let's Encrypt. Alternatively, you can bring your own TLS certificates, which you will then need to renew manually.

Adding a custom domain

  1. Go to the organization domains page (click your organization name in the top left corner, then the "Domains" tab)
  2. Click "Add Domain"
  3. Enter your domain (e.g., example.com)
  4. Select whether to add just this domain or also include the wildcard subdomain
  5. Click "Add Domain"

This will open the domain configuration drawer.

DNS configuration

The domain configuration drawer shows the DNS records needed to:

  • Verify domain ownership
  • Optionally provision TLS certificates
  • Route traffic to Deno Deploy

There are three possible configuration methods, depending on your domain registrar's capabilities:

ANAME/ALIAS method (preferred)

If your registrar supports ANAME or ALIAS records, this is the best option:

  • Add one ANAME/ALIAS record
  • Add one CNAME record for verification

CNAME method

Works well for subdomains but not for apex domains:

  • Add two CNAME records
  • Note: This method doesn't allow other DNS records (like MX records) on the same domain

A record method

Most compatible but requires more configuration:

  • Add one A record
  • Add one CNAME record for verification

Note: Deno Deploy does not currently support IPv6. When using the ANAME/ALIAS or CNAME methods, your domain will automatically use IPv6 when supported. With the A method, you'll receive an email when it's time to add an AAAA record.

:::caution

When using Cloudflare as your DNS provider, you MUST disable the proxying feature (orange cloud) for the _acme-challenge CNAME record, or verification and certificate provisioning will fail.

:::

Verification

After adding the DNS records, Deno Deploy will verify your domain ownership. This process may take a few minutes depending on your DNS provider. You can leave the domain configuration drawer open during verification — it will refresh automatically when complete.

You can manually trigger verification by clicking the "Provision Certificate" button. Successful verification also initiates TLS certificate provisioning.

TLS certificates

After domain verification, you need a valid TLS certificate to use the domain with Deno Deploy. You can either have Deno Deploy provision a certificate for you using Let's Encrypt, or you can bring your own certificate.

Automatic provisioning (Let's Encrypt)

After domain verification, click "Provision Certificate" to generate a TLS certificate through Let's Encrypt. This process can take up to 90 seconds.

Once provisioned, you'll see certificate details including expiration date and issue time.

Certificates are automatically renewed near expiration. You can check the current certificate status in the domain configuration drawer.

If automatic renewal fails (for example, because DNS records changed), you will receive an email notification 14 days before the certificate expires. You then have a chance to fix the issue and contact support to retry the renewal. If the certificate is not renewed before expiration, the domain will stop working.

Bring your own certificate

If you prefer to use your own TLS certificate, you can upload it in the domain configuration drawer. You'll need to provide the following:

  • The certificate file (PEM format)
  • The private key file (PEM format)

Once uploaded, the certificate will be used for the domain. You are responsible for renewing and updating the certificate before it expires.

You will receive email notifications 14 days before the certificate expires reminding you to update it. If the certificate expires, the domain will stop working.

The TLS certificate must be valid at the time of upload. It must cover the base domain (and, if you have a wildcard domain, the wildcard subdomain as well) through either the common name or the subject alternative names in the certificate. The private key and certificate must match, and must be either RSA (2048, 3072, or 4096 bits) or ECDSA (P-256, P-384, or P-521).

Assigning a custom domain to an application

After adding a custom domain to your organization:

  1. Go to the organization domains page
  2. Click "Assign" next to the custom domain
  3. Select the target application
  4. If using a wildcard domain, choose whether to attach the base domain, the wildcard, or a specific subdomain
  5. Click "Assign Domain"

Unassigning a custom domain from an application

  1. Go to the application settings page
  2. Find the "Custom Domains" section
  3. Click "Remove" next to the domain you want to unassign

This removes the domain from the application but keeps it available in your organization for use with other applications.

Removing a custom domain

  1. Go to the organization domains page
  2. Open the domain configuration drawer
  3. Click "Delete" and confirm

This removes the custom domain from your organization and deletes all domain assignments across all applications.

Migrating a custom domain from Deploy Classic to Deno Deploy

If you have previously set up a custom domain on Deploy Classic and want to migrate it to Deno Deploy, we've created a step-by-step tutorial to guide you through the process.