Setting Up Custom Domain
Last updated
Was this helpful?
Last updated
Was this helpful?
If you prefer to use your own custom domain, this page will guide you through setting this up in minutes.
This is a solution for setting up custom domains with automatic SSL certificate management for dstack applications using Cloudflare DNS and Let's Encrypt. With this implementation, Phala enables the world's first Zero Trust HTTPS solution for your domain and apps running in a Confidential VM on Phala Cloud in one-click.
This project enables you to run dstack applications with your own custom domain, complete with:
Automatic SSL certificate provisioning and renewal via Let's Encrypt
Cloudflare DNS configuration for CNAME, TXT, and CAA records
Nginx reverse proxy to route traffic to your application
Certificate evidence generation for verification
Host your domain on and have access to the Cloudflare account with API token
If you have not generated an API Token for your custom domain management then follow these steps:
First you will go to your Phala Cloud Dashboard and deploy a new CVM. Select docker-compose.yml option for deployment then take the past the docker compose file below into the Advanced tab of the CVM configration page.
Explanation of environment variables:
CLOUDFLARE_API_TOKEN: Your Cloudflare API token
DOMAIN: Your custom domain
GATEWAY_DOMAIN: The dstack gateway domain. (e.g. _.dstack-prod5.phala.network for Phala Cloud)
CERTBOT_EMAIL: Your email address used in Let's Encrypt certificate requests
TARGET_ENDPOINT: The plain HTTP endpoint of your dstack application
SET_CAA: Set to true to enable CAA record setup
If you prefer video content, check the YouTube tutorial here.
Here is how it should look like in the dashboard.
Next you need to grab your Cloudflare API Token for your domain, and fill in your environment variables. For this example, deploy to prod5.
The dstack-ingress system provides mechanisms to verify and attest that your custom domain endpoint is secure and properly configured. This comprehensive verification approach ensures the integrity and authenticity of your application.
When certificates are issued or renewed, the system automatically generates a set of cryptographically linked evidence files:
Access Evidence Files:
Evidence files are accessible at https://your-domain.com/evidences/
Key files include acme-account.json, cert.pem, sha256sum.txt, and quote.json
Verification Chain:
quote.json contains a TDX quote with the SHA-256 digest of sha256sum.txt embedded in the report_data field
sha256sum.txt contains cryptographic checksums of both acme-account.json and cert.pem
When the TDX quote is verified, it cryptographically proves the integrity of the entire evidence chain
Certificate Authentication:
acme-account.json contains the ACME account credentials used to request certificates
When combined with the CAA DNS record, this provides evidence that certificates can only be requested from within this specific TEE application
cert.pem is the Let's Encrypt certificate currently serving your custom domain
If you've enabled CAA records (SET_CAA=true), you can verify that only authorized Certificate Authorities can issue certificates for your domain:
The output will display CAA records that restrict certificate issuance exclusively to Let's Encrypt with your specific account URI, providing an additional layer of security.
All Let's Encrypt certificates are logged in public Certificate Transparency (CT) logs, enabling independent verification:
CT Log Verification:
Confirm that the certificates match those issued by the dstack-ingress system
This public logging ensures that all certificates are visible and can be monitored for unauthorized issuance
For more details, checkout the for the dstack-ingress dstack examples.
Click Create button and your CVM will deploy in a couple minutes with the custom domain. Here is an example of a custom domain deployed to
You can check the example of the deployment at .
Visit and search for your domain
