Networking

Add a custom domain

6 min readUpdated April 2026

Every StackBlaze service gets a free .stackblaze.app subdomain out of the box. When you're ready to use your own domain, StackBlaze handles the full TLS provisioning pipeline, DNS verification, Let's Encrypt certificate issuance, and automatic renewal, without you touching a single Kubernetes resource.

Certificates are issued via cert-manager and stored as Kubernetes Secrets. They renew automatically 30 days before expiry, so you'll never face an expired certificate in production.

Traffic flow

HTTPS:443TLSHTTP:80certinternal
User Browser

myapp.com

DNS → LB IP

Load Balancer

TLS termination

Let's Encrypt cert

Ingress Controller

nginx / traefik

routes by hostname

Your Service

ClusterIP

internal only

DNS records

DNS zone, your registrar

# Option A: subdomain → CNAME (recommended)

api IN CNAME stackblaze-lb.example.com.

# Option B: apex domain → A record

@ IN A 203.0.113.42

# CNAME is preferred, if the LB IP changes, CNAME updates automatically

CLI workflow

stackblaze CLI

$ stackblaze domains add myapp.com --service my-web-service

Domain myapp.com added to service my-web-service.

Add this DNS record at your registrar:

@ IN A 203.0.113.42

Waiting for DNS propagation...

[██████████░░░░░░░░░░] checking every 30s

DNS verified after 4 min 12 s

Requesting certificate from Let's Encrypt...

✓ Certificate issued expires 2026-07-13

✓ https://myapp.com is live

Under the hood

  • cert-manager Certificate CR: StackBlaze creates a Certificate custom resource targeting a ClusterIssuer backed by Let's Encrypt. cert-manager handles the full ACME lifecycle automatically.
  • HTTP-01 ACME challenge: cert-manager annotates the Kubernetes Ingress to temporarily serve a challenge token at /.well-known/acme-challenge/. Let's Encrypt fetches the token over port 80 to confirm domain ownership.
  • Kubernetes Ingress routing: once verified, an Ingress rule is created that routes requests for your hostname to your service's ClusterIP. The Ingress controller (nginx or Traefik) handles SNI-based TLS termination.
  • Auto-renewal: cert-manager watches certificate expiry and renews 30 days before the deadline. Zero downtime, zero action needed on your part. Renewed certificates are stored in the same Kubernetes Secret and picked up by the Ingress controller automatically.

Step by step

01

Add your domain in the dashboard

Open your service in the StackBlaze dashboard, go to the "Domains" tab, and click "Add domain". Enter your apex domain (e.g. myapp.com) or subdomain (e.g. api.myapp.com). StackBlaze will show you the DNS record you need to create.

02

Create a DNS record at your registrar

For a subdomain, create a CNAME record pointing to stackblaze-lb.example.com. For an apex domain (no www prefix), create an A record pointing to the cluster's load balancer IP shown in the dashboard. DNS changes typically propagate in 5“30 minutes, though it can take up to 48 hours.

03

Wait for DNS propagation

StackBlaze polls your DNS record every 30 seconds. Once it detects the correct value, it automatically triggers the ACME challenge. You can monitor status in the "Domains" tab, it shows "Awaiting DNS", "Verifying", and "Certificate issued" states.

04

Certificate is auto-issued

StackBlaze uses cert-manager to request a TLS certificate from Let's Encrypt via an HTTP-01 ACME challenge. The Ingress controller temporarily serves /.well-known/acme-challenge/ on port 80 to prove domain ownership. The certificate is stored as a Kubernetes Secret and renewed automatically before it expires.

05

Domain goes live

Once the Certificate resource reaches "Ready" status, the Ingress rule for your domain is activated. HTTPS traffic on port 443 is terminated at the Ingress controller and forwarded to your service over HTTP on the internal cluster network. HTTP requests are automatically redirected to HTTPS.