Wildcard custom domains
Attach a wildcard domain (*.example.com) to a service so every subdomain routes through it with a single TLS certificate.
A wildcard domain lets every subdomain of your domain — app.example.com, api.example.com, anything.example.com — reach the same service without adding each one individually. Simplifyd Cloud provisions a single wildcard TLS certificate that covers all of them.
When to use a wildcard domain
| Use case | Example |
|---|---|
| Multi-tenant SaaS with per-tenant subdomains | {tenant}.example.com |
| Environment-per-branch previews | {branch}.staging.example.com |
| Microservice per subdomain under one apex | *.api.example.com |
If you only need a small fixed set of subdomains, adding them individually as standard custom domains may be simpler.
Prerequisites
- A service with at least one ingress configured.
- Access to your domain's DNS settings (your registrar or DNS provider).
- Your DNS provider must support
CNAMErecords on*and_acme-challengesubdomains. Most do.
Adding a wildcard domain
- Click the service node on the canvas to open the service panel.
- Go to the Settings tab.
- Under the ingress entry, click Add Custom Domain.
- Enter the wildcard form of your domain:
*.example.com. - Click Apply in the Apply Changes bar.
Simplifyd Cloud will display two DNS records you need to create.
Configuring DNS
Wildcard domains require two DNS records — one for traffic routing and one for TLS certificate validation. Both must be in place before the domain becomes active.
Record 1 — traffic routing
Routes all subdomain traffic to your service.
| Type | Name | Value |
|---|---|---|
CNAME | * | provided by Simplifyd Cloud (e.g. abc12.simplifyd.app) |
Record 2 — ACME certificate validation
Allows Simplifyd Cloud to prove to Let's Encrypt that it controls your domain when issuing the wildcard certificate. This uses a DNS-01 ACME challenge via CNAME delegation.
| Type | Name | Value |
|---|---|---|
CNAME | _acme-challenge | provided by Simplifyd Cloud (e.g. _acme-challenge.abc12.dns.simplifyd.net) |
Both values are shown in the Settings tab immediately after you apply. Use the copy buttons to avoid typos.
How the ACME CNAME delegation works
When Let's Encrypt validates your wildcard certificate, it looks for a TXT record at _acme-challenge.example.com. Because Simplifyd Cloud does not control your zone directly, the CNAME record redirects that lookup to a subdomain of simplifyd.net that Simplifyd Cloud owns and can write TXT tokens to on your behalf. This is the standard ACME CNAME delegation pattern — no NS delegation, no zone transfer.
Do not add an NS record for _acme-challenge.example.com. Only the CNAME record listed above is needed. An NS record pointing to an unrelated nameserver will cause certificate issuance to fail.
Waiting for propagation
DNS changes can take a few minutes to several hours to propagate depending on your provider and TTL settings. Simplifyd Cloud checks the CNAME delegation automatically and begins issuing the certificate once both records are detected.
You can monitor progress in the Settings tab — the domain status will update in real time.
Certificate status
| Status | Meaning |
|---|---|
| Pending | Neither DNS record detected yet |
| Issuing | _acme-challenge CNAME found; wildcard certificate being provisioned |
| Active | Both records confirmed; certificate issued and serving *.example.com |
| Error | Validation failed — check that both DNS records are correct |
If the status stays on Error, verify:
- The
*CNAME points to the Simplifyd-provided value (not your own server). - The
_acme-challengeCNAME points to the full_acme-challenge.…simplifyd.netvalue, with the prefix included. - No conflicting NS record exists on
_acme-challenge.example.com.
Limitations
- Apex domain not supported. A wildcard
*.example.comdoes not cover the rootexample.comitself. If you need the apex, add it as a separate standard custom domain. - Single level only.
*.example.commatchesfoo.example.combut notfoo.bar.example.com. Deeper nesting requires a separate wildcard such as*.bar.example.com. - One wildcard per ingress. Each ingress supports one wildcard domain. You can still combine it with individual custom domains on the same ingress.
Removing a wildcard domain
- Open the service panel → Settings tab.
- Find the wildcard domain entry and click the trash icon next to it.
- Click Apply to confirm.
After removal, subdomain traffic will no longer reach your service. Remove or update both DNS records (* CNAME and _acme-challenge CNAME) at your DNS provider to avoid dangling pointers.
