English Español Português (Brasil) Français Deutsch Italiano Română
Log in Start free trial

Custom-domain SSL

We issue and renew SSL certificates automatically via Let's Encrypt. What to do if something looks wrong.

SSL on custom domains is handled automatically. There's no certificate to buy, no PEM to upload, no renewal calendar reminder.

How it works

  1. You add a custom domain via Custom domain DNS.
  2. Your CNAME points at <your-subdomain>.nura24.com.
  3. Our edge proxy (Caddy) sees a request for the new hostname, requests a Let's Encrypt cert for it, completes the HTTP-01 challenge by serving the response on port 80, and starts using the cert for HTTPS.
  4. Every 60 days, the proxy renews the cert before expiry.

This happens within seconds of the CNAME resolving correctly. There's no Nura24 button to click.

Verifying SSL is live

Open https://support.acme.com in a browser. You should see:

  • A valid green padlock (no certificate warnings).
  • The certificate issuer is Let's Encrypt.
  • Subject is your custom domain.

You can also check from the command line:

openssl s_client -connect support.acme.com:443 -servername support.acme.com < /dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates

What can go wrong

  • CNAME doesn't resolve — the cert can't be issued (HTTP-01 challenge fails). Verify DNS first.
  • Cloudflare proxy is on — orange cloud blocks our HTTP-01 challenge. Turn proxy off for the subdomain (DNS only / gray cloud).
  • Let's Encrypt rate limits — if you've requested certs for the same domain many times in a week (50 per 168 hours), further requests fail until the window resets. Usually only an issue if you're rapidly removing and re-adding the domain.
  • Bad CAA record — if you have a CAA record on acme.com that excludes Let's Encrypt, our request is rejected. Either remove the CAA record or add 0 issue "letsencrypt.org".

What you should NEVER do

  • Don't try to install your own certificate — there's no UI for it, and our edge would conflict with any custom cert.
  • Don't proxy through a CDN that strips HTTP (we need port 80 for the challenge). Cloudflare with proxy OFF is fine.
  • Don't change the CNAME target. Always points at your-subdomain.nura24.com, never a fixed IP.

SSL expiration

Certs are valid for 90 days. We renew at 60 days, well before expiry. If renewal fails for some reason (cert authority outage, DNS misconfiguration), we'll alert you via the workspace dashboard before the cert actually expires.

Custom certificates / EV

Not supported. We only do Let's Encrypt domain-validated certs. If your compliance requires an EV cert from a specific CA, Nura24 may not be the right platform — let us know and we'll discuss case by case.