Skip to main content

Domains & SSL

Domains and TLS are the front door of every public service. DeployDock focuses on making that door boringly reliable: correct virtual hosts, consistent certificate lifecycle, and error messages that tell you whether the problem is DNS, HTTP validation, or something stranger.

Hostnames are a contract with the internet

Before a certificate can issue, the world has to agree which server answers for a name. That means understanding A/AAAA records, CNAME flattening quirks at certain DNS providers, and the difference between apex domains and www pools. The panel should guide you through the checks that matter: does this hostname resolve here, is port 80 reachable for HTTP-01, and is there an old conflict hiding in a stale include file?

If you are new to the model, read Domains and SSL in the concepts section—they explain how DeployDock thinks about vhosts, listeners, and certificate storage without assuming you live in /etc/nginx daily.

Certificate renewal is operations, not magic

Let’s Encrypt and similar CAs made issuance easy; renewal remains an operational responsibility. Clock skew, firewall changes, and accidental DNS moves break renewals in ways that only show up sixty days later. DeployDock aims to surface renewal status early: when the next attempt happens, what failed last time, and whether a manual DNS challenge is needed for wildcard certs.

For admin steps that mirror the UI, see Issue SSL and Add domain.

Mixed content and modern defaults

TLS is more than a green padlock. Modern apps need HSTS decisions, correct chain files, and sane cipher defaults that do not exclude older clients you still care about. DeployDock’s defaults skew modern, but enterprise teams sometimes need explicit compatibility modes—document those deviations in your internal runbooks so the next engineer understands why.

Troubleshooting without panic

When validation fails, start narrow:

  1. DNS propagation — use multiple resolvers; some panels cache aggressively.
  2. HTTP reachability — temporary redirects or basic auth on /.well-known paths break HTTP-01.
  3. IPv6 surprises — if AAAA exists, some validators prefer it; a broken v6 path looks like “random” failure.

The troubleshooting matrix collects common failure shapes. If you are blocked on a wildcard or internal-only hostname, Contact and we can map you to the enterprise networking docs.