Free TLS for every
customer hostname.
Let's Encrypt certificates issued on the first request, renewed forever, monitored 24/7. No ACME library, no renewal cron, no 2am pages from the cert outage you can't reproduce.
50 custom hostnames and 100 GB bandwidth free, forever.
Trusted by teams building the future of SaaS
Why outsource SSL
The cert provisions when the first HTTPS request hits the hostname. No idle warmup queue, no pre-issue race conditions, no second-tier slow paths. Sub-30 second TTL from DNS to working cert.
Renewed ~30 days before expiry, server-side, with no traffic disruption. If renewal fails, we retry, alert, and fall back to issue-on-next-request. The 2am cron-failure problem is gone.
Let's Encrypt limits 50 certs/week per registered domain. We hold multiple ACME accounts and rotate proactively. Your provisioning never hits the cap.
Why we bundle SSL with custom domains: they're the same problem. Every customer hostname needs both a route and a cert, end of story. Two services would mean two billing models, two SLA pages, and two failure modes that both manifest as "https not working."
Cert lifecycle, end to end
Three things happen automatically every time a customer connects a domain.
01
Issue on first request
DNS lands, customer's browser hits HTTPS, our edge issues a Let's Encrypt cert via ACME HTTP-01 and serves it on the same request.
02
Renew ~30 days before expiry
Renewal worker calls ACME, fetches the new cert, hot-swaps at the edge. Zero downtime, no client reconnect. Webhook fires on success.
03
Monitor + alert on drift
If a cert is < 14 days from expiry and hasn't renewed, we alert. If the chain breaks, we alert. The cert never silently dies.
You don't talk to ACME. You make one API call.
Same POST /v1/domains call as the Connect API. Your customer adds one CNAME. The cert provisions, the cert renews, the cert is monitored. All of that lives behind one webhook stream.
One call. Cert ships on first request.
$ curl https://api.domainee.dev/v1/domains \
-H "Authorization: Bearer sk_live_…" \
-d '{
"hostname": "shop.acme.com",
"originUrl": "https://acme.fly.dev"
}'
{
"domain": {
"id": "8f09b47c-…",
"status": "pending",
"dnsRecords": [
{ "type": "CNAME",
"name": "shop.acme.com",
"value": "edge.domainee.dev" }
],
"sslActiveUntil": null
}
}domain.verified fires the moment HTTPS works.
{
"id": "evt_4Lpq…",
"type": "domain.verified",
"createdAt": "2026-05-21T11:42:17Z",
"data": {
"id": "8f09b47c-…",
"hostname": "shop.acme.com",
"status": "verified",
"sslActiveFrom": "2026-05-21T11:42:14Z",
"sslActiveUntil": "2026-08-19T11:42:14Z"
}
}Renewal events fire the same way under domain.monitor_updated. Your DB stays in sync without polling.
The SSL stack you don't have to maintain
- An ACME-v2 client library, with retry logic for the half-dozen ways the protocol can stall.
- An ACME account pool — Let's Encrypt rate-limits to 50/week per registered domain; you'd need to rotate accounts proactively.
- A cert store at the edge with hot-reload on every renewal, plus a fallback while a cert is mid-rotation.
- An SNI router that handles thousands of hostnames without a TLS handshake delay.
- A renewal cron with monitoring, alerting, and a manual override for the times it fails.
- An on-call rotation for cert outages, because every minute of expired-cert is a customer who sees a scary browser warning.
Frequently asked
- Which certificate authority does Domainee use?
- Let's Encrypt by default. ECDSA P-256 keys. ACME-v2 protocol. The cert chain is identical to what you'd get if you ran certbot yourself — every browser trusts it without any extra setup.
- How long does cert issuance take?
- Typically 5-30 seconds from the moment we see the DNS pointing at our edge. The cert provisions on the first HTTPS request to the hostname (lazy issuance), so there's no idle warmup — the first user gets a fresh cert immediately.
- What about renewals?
- We renew ~30 days before expiry. The renewal happens server-side with no traffic disruption. If renewal fails (rare), we retry, alert, and fall back to issue-on-next-request. Your 2am cron-failure problem is gone.
- Do you support wildcard certs?
- Not on the customer-facing flow. Each customer hostname gets its own SAN cert (Let's Encrypt's free wildcard requires DNS-01, which we use internally for Domainee's own infra but not for the per-customer flow — HTTP-01 is faster, more reliable, and works without your customers giving us DNS access).
- What if the cert authority rate-limits us?
- Let's Encrypt rate-limits per account at 50 certs/week per registered domain. We hold multiple ACME accounts and rotate proactively. You'll never hit the limit from your side.
- Can I bring my own cert?
- Yes, on paid plans. Upload via the dashboard or POST /v1/domains/:id/cert with the PEM + private key. Useful for EV certs, organization-validated certs, or pinned root requirements.
- Do you support TLS 1.3?
- Yes. TLS 1.3 by default, TLS 1.2 fallback for older clients. No SSLv3, no TLS 1.0, no TLS 1.1 — those are blocked at the edge.
- How is this different from Cloudflare SSL for SaaS?
- Cloudflare's first-100-free + $0.10/hostname is competitive on raw cert count, but it doesn't include bandwidth, MCP/AI-agent control, or a published curve past 100. Domainee gives you 50 hostnames + 100 GB bandwidth free, then $0.20/domain graduated to $0.10 at 10,000+, with all numbers on the pricing page. Pick whichever maps closer to your billing math; we keep the math simple on purpose.
Still have questions? Ask our team →
Ship SSL today. Stop paging at 2am.
Mint an API key, register your first hostname, watch the cert issue on first request. Renewals are our problem forever.