render-oss/render-domains
skills/render-domains/SKILL.md
Configures custom domains and TLS certificates on Render—DNS setup, CNAME records, apex domains, wildcard domains, and certificate troubleshooting. Use when the user needs to add a custom domain, configure DNS, set up HTTPS/TLS, troubleshoot certificate issuance, disable the onrender.com subdomain, or add a wildcard domain. Trigger terms: custom domain, DNS, CNAME, TLS, SSL, HTTPS, certificate, apex domain, wildcard domain, onrender.com, domain verification.
$ install --global
skillsauthnpx skillsauth add render-oss/skills render-domainsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 1, 2026, 6:56 AM143.4s3 files scanned
SKILL.md
- name:
- render-domains
- description:
- >-
- Trigger terms:
- custom domain, DNS, CNAME, TLS, SSL, HTTPS, certificate,
- license:
- MIT
- compatibility:
- Render web services and static sites
- author:
- Render
- version:
- 1.0.0
- category:
- networking
Render Custom Domains
Render automatically provisions and renews TLS certificates (via Let's Encrypt and Google Trust Services) for all custom domains. All HTTP traffic is redirected to HTTPS. Custom domains work on web services and static sites only.
When to Use
- Adding a custom domain to a web service or static site
- Configuring DNS records (CNAME, A, or ALIAS) with a provider
- Setting up a wildcard domain (
*.example.com) - Troubleshooting certificate issuance or domain verification failures
- Choosing between apex (
example.com) and www (www.example.com) - Disabling the
onrender.comsubdomain after adding a custom domain
Domain Limits
| Workspace tier | Custom domain limit | |---------------|---------------------| | Hobby | 2 custom domains (across all services) | | Professional+ | Unlimited |
Setup Steps
1. Add domain in Dashboard
- Go to your service's Settings > Custom Domains
- Click + Add Custom Domain
- Enter your domain (e.g.
app.example.com) - Click Save
Adding a www subdomain automatically adds the root domain (and vice versa) with a redirect between them.
2. Configure DNS
Add a DNS record with your provider pointing to your Render service:
| Domain type | Record type | Name | Value |
|-------------|-------------|------|-------|
| Subdomain (app.example.com) | CNAME | app | <service>.onrender.com |
| Apex (example.com) on Cloudflare | CNAME (flattened) | @ | <service>.onrender.com |
| Apex on other providers | A | @ | Use Render-provided IP (see Dashboard) |
Important: Remove any AAAA (IPv6) records for your domain. Render uses IPv4, and stale AAAA records cause unexpected behavior.
Provider-specific guides:
- Cloudflare
- Namecheap
- Other providers
3. Verify domain
Click Verify in the Dashboard. If verification fails, DNS may not have propagated yet—wait a few minutes and retry.
Speed up verification by flushing DNS caches:
- Google Public DNS
- Cloudflare DNS
- OpenDNS
After verification, Render issues a TLS certificate automatically.
Wildcard Domains
Wildcard domains (*.example.com) route all matching subdomains to one service.
Requires three CNAME records:
| Name | Value | Purpose |
|------|-------|---------|
| * | <service>.onrender.com | Routes traffic |
| _acme-challenge | <service-id>.verify.renderdns.com | Let's Encrypt validation |
| _cf-custom-hostname | <service-id>.hostname.renderdns.com | Cloudflare DDoS validation |
Cloudflare users: If you add *.example.com without adding the root domain to Render, disable proxying (gray cloud) for the root domain to avoid routing conflicts.
CAA Records
If your domain has CAA records, add entries for Render's certificate authorities:
example.com IN CAA 0 issue "letsencrypt.org"
example.com IN CAA 0 issuewild "letsencrypt.org"
example.com IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
example.com IN CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"
Without these, TLS certificate issuance fails silently.
Disabling the onrender.com Subdomain
After adding at least one custom domain, you can disable the default onrender.com subdomain:
- Settings > Custom Domains > Render Subdomain > toggle to Disabled
- All requests to the
onrender.comURL receive a 404 - Can be re-enabled at any time
Blueprint Configuration
Custom domains are specified in the domains field:
services:
- type: web
name: api
runtime: node
plan: starter
domains:
- app.example.com
- www.example.com
Blueprint domains only declare the domain association. You still need to configure DNS with your provider manually.
Common Mistakes
| Mistake | Fix |
|---------|-----|
| AAAA records present | Remove all IPv6 AAAA records for the domain |
| CAA records blocking issuance | Add letsencrypt.org and pki.goog entries |
| Verifying too quickly | Wait 2-5 minutes for DNS propagation, then flush caches |
| Cloudflare proxy + wildcard without root domain | Disable proxying (gray cloud) for the root domain |
| Trying to add domain to a private service | Custom domains only work on web services and static sites |
| 502 after verification | Routing rules are updating — wait a few minutes |
References
| Document | Contents |
|----------|----------|
| references/dns-configuration.md | Provider-specific DNS setup, apex domain options, TTL recommendations |
Related Skills
- render-web-services — Web service configuration, TLS, port binding
- render-static-sites — Static site domains, CDN, headers
- render-blueprints —
domainsfield inrender.yaml
Related Skills
render-oss/render-web-services
development
VerifiedTrustedCommunity
Configures Render web services—port binding, TLS, health checks, custom domains, auto-deploy, PR previews, persistent disks, and deploy lifecycle. Use when the user needs to set up a web service, fix health check failures, add a custom domain, configure zero-downtime deploys, or troubleshoot port binding issues.
44SKILL.mdUpdated Apr 30, 2026
render-oss/render-static-sites
development
VerifiedTrustedCommunity
Deploys and configures static sites on Render's global CDN—build commands, publish paths, SPA routing, redirects, custom headers, and PR previews. Use when the user needs to deploy a static site, set up a React/Vue/Hugo/Gatsby frontend, configure SPA fallback routing, add redirect rules, customize response headers, or choose between a static site and a web service for their frontend. Trigger terms: static site, CDN, SPA, single-page app, React deploy, Vue deploy, Hugo, Gatsby, Docusaurus, Jekyll, staticPublishPath.
44SKILL.mdUpdated Apr 30, 2026
render-oss/render-scaling
tools
VerifiedTrustedCommunity
Scales Render services—configures autoscaling targets, chooses instance types, sets manual instance counts, and optimizes cost. Use when the user needs to handle more traffic, set up autoscaling, pick the right instance type, reduce costs, or troubleshoot scaling behavior like slow scale-down or stuck instances.
44SKILL.mdUpdated Apr 30, 2026
render-oss/render-private-services
development
VerifiedTrustedCommunity
Configures Render private services—internal-only apps that accept traffic exclusively from other Render services over the private network. Use when the user needs an internal API, microservice, gRPC server, sidecar, or any service that should not be publicly accessible. Also use when choosing between a private service and a background worker. Trigger terms: private service, pserv, internal service, internal API, microservice, gRPC, not public, private network service.
44SKILL.mdUpdated Apr 30, 2026