Skip to content
SOSEI
Log InGet Started
7 min readHostingDNSTLS

Custom Domains with Automatic TLS: How SOSEI Ships Your Site at example.com

From your-site.sosei.site to www.example.com without buying hosting, paying for a TLS cert, or learning anything about DNS. The Cloudflare for SaaS pipeline that gets your custom domain live and HTTPS-secured in minutes.

A modern website needs to live at a memorable domain, served over HTTPS, with a valid TLS certificate, fast TCP termination at the edge, and zero ongoing maintenance from the owner. Until recently that meant buying hosting, generating CSRs, paying for or configuring Let’s Encrypt, and learning enough about DNS to not break it. SOSEI ships all of that as a single product feature: enter your domain, get a working HTTPS site.

1DashboardCustomer types example.com2Cloudflare for SaaSCustom Hostname created3DigitalOceanDomain attached to app4Customer DNSCNAME / A / TXT records5Cloudflare ACMELet's Encrypt cert issuedResult: https://example.com → SOSEI-hosted site, valid TLS cert at the edgeAutomatic renewal · HTTP/2 + HTTP/3 · global anycast routing · no per-site config
The flow that turns 'example.com' in the dashboard into a fully TLS-secured site at the customer's own domain.

The architecture: Cloudflare for SaaS

SOSEI uses Cloudflare for SaaS’s Custom Hostnames feature as the TLS termination layer for every customer domain. The flow:

  1. Customer enters www.example.com in the dashboard.
  2. SOSEI calls Cloudflare’s API to create a custom hostname under our zone (sosei.site) and stores the returned ID against the project.
  3. SOSEI calls DigitalOcean’s API to attach the customer domain to our App Platform app spec, so requests routed to us are answered by the right project.
  4. The dashboard shows the customer the DNS records they need to add at their registrar.
  5. Once Cloudflare confirms the DNS records resolve, it automatically validates ownership and issues a per-hostname Let’s Encrypt cert.
  6. The dashboard polls for status; domain_verified flips true once both ownership and SSL are active. The site is live at the custom domain over HTTPS.

The DNS side: subdomain vs apex

DNS is where most owners get nervous. SOSEI handles both common cases:

Subdomain (www.example.com, app.example.com)

The simplest case. The customer adds:

  • One CNAME record pointing www to proxy.sosei.site.
  • One TXT record for ownership verification: _cf-custom-hostname.www.
  • One TXT record for SSL validation: _acme-challenge.www.

Works at every DNS provider in the world. Five minutes of copy-paste from the dashboard’s “Go live” panel.

Apex domain (example.com)

The apex (root) of a domain is technically more complicated because DNS doesn’t allow CNAME records on the apex. There are three workable options, and the SOSEI dashboard surfaces them as a choice depending on the customer’s registrar:

  1. Cloudflare CNAME flattening— if the customer is willing to switch their DNS nameservers to Cloudflare’s free plan, CNAME flattening lets them point the apex to proxy.sosei.site as if it were a subdomain. Recommended.
  2. ALIAS / ANAME records— modern DNS providers (DNSimple, Hover, Gandi LiveDNS, Namecheap PremiumDNS, easyDNS) support ALIAS or ANAME records that resolve apex like a CNAME at the resolver level. Works identically to CNAME flattening but on the customer’s existing nameservers.
  3. Two A records— for legacy DNS providers (GoDaddy, Zone.ee, Namecheap basic, Bluehost, Hostinger), the customer adds two A records pointing to the static IPs SOSEI provides. Cloudflare routes the traffic correctly by SNI at the edge.

Plus the two TXT records (ownership + ACME challenge) in every case. The dashboard’s GoLivePanel automatically detects whether the entered domain is an apex or subdomain and renders the right instructions.

Why the TLS cert is “automatic”

Cloudflare’s ACME integration with Let’s Encrypt means that the moment the _acme-challengeTXT record is reachable, Cloudflare requests and installs a per- hostname certificate. No CSR generation, no manual cert upload, no “the cert expired and the site is now broken” moment that small businesses still suffer through annually. Certs auto-renew on a ~60-day cycle.

The fallback: legacy verification mode

When the Cloudflare API token isn’t configured (early development, self-hosting), SOSEI falls back to a simpler ownership-only flow: the customer adds a _sosei-verify TXT record to prove they own the domain, and the site is served without TLS termination at the customer domain. This is appropriate for dev / staging only — production deployments always run through Cloudflare.

What the customer never has to think about

Compared to the traditional “buy hosting + buy domain + configure DNS + buy cert + install cert + configure web server” flow, the SOSEI customer never has to:

  • Buy a hosting plan.
  • Generate a certificate signing request or paste cert /key files anywhere.
  • Touch a web server config, NGINX, Apache, or .htaccess.
  • Remember to renew anything, ever.
  • Worry about the site going down because a cert expired or a server ran out of disk.

The whole infrastructure layer is “invisible by design” — the customer’s only DNS-related action is pasting three or four records once, which the dashboard hands them as copy-clickable text with one-shot copy buttons.

Bottom line

Custom domains used to be the friction point that scared owners away from leaving WordPress. With Cloudflare for SaaS doing the TLS heavy lifting and a dashboard that surfaces the exact DNS records to add, that friction is now ~5 minutes of copy-paste. Every SOSEI subscription includes unlimited custom domains on the project — bring as many as you need. Start a project and your site is live at your own domain the same afternoon.

Stop losing customers to a 2018 website.

Every day on outdated tech is leads walking past your front door. Get the free 40-point audit — see exactly what's broken across SEO, AI-discoverability, WCAG, GDPR, mobile, performance, and design. No signup. Results in seconds.

See your site's score