Set Up a Custom Domain

Point a custom domain at your Vardo app with DNS configuration and automatic TLS certificates.

Every app on Vardo gets a subdomain under your base domain automatically. But you'll probably want your own domain — app.mycompany.com instead of my-app.vardo.example.com. This tutorial covers DNS setup, TLS provisioning and multi-domain configurations.

Prerequisites

A running Vardo instance with at least one deployed app
Access to your domain's DNS settings (registrar or DNS provider)

1. Add the domain in Vardo

Open your app's detail page
Click the Domains tab
Click Add Domain
Enter the full domain — e.g., app.mycompany.com
Click Save

Vardo registers the domain with Traefik and queues a TLS certificate request. The certificate won't issue until DNS is pointing at your server.

2. Configure DNS

You need a DNS record that points your domain to your Vardo server. You've got two options:

CNAME record (recommended for subdomains)

CNAME  app.mycompany.com  →  vardo.example.com

Use this when adding subdomains like app., api., staging., etc.

A record (required for apex/root domains)

A  mycompany.com  →  203.0.113.42

Replace 203.0.113.42 with your Vardo server's IP address. Use this for naked domains like mycompany.com.

Some DNS providers (Cloudflare, Vercel DNS, Route 53) support CNAME flattening or ALIAS records for apex domains. If yours does, that works too.

3. Verify and get TLS

Back in Vardo, click Verify next to your domain
Vardo checks that DNS resolves to your server
Once verified, it requests a Let's Encrypt certificate automatically
The certificate is issued and installed — usually within 30 seconds

Your domain is now live with HTTPS. HTTP requests are redirected to HTTPS automatically.

Using multiple ACME issuers

Vardo supports three ACME certificate issuers out of the box:

Issuer	Resolver key	Description
Let's Encrypt	`le`	Default. Free certificates, widely trusted.
Google Trust Services	`google`	Google's public ACME CA.
ZeroSSL	`zerossl`	Requires External Account Binding (EAB) credentials.

Configure the default issuer

Go to Admin → Settings → SSL
Select the default issuer
If using ZeroSSL, enter your EAB KID and HMAC key
Click Save

Or configure it in vardo.yml:

ssl:
  defaultIssuer: le  # le | google | zerossl

Assign an issuer to a domain

When adding or editing a domain on an app, you can set the certResolver field to override the instance default. For example, set it to google to use Google Trust Services for that specific domain.

Wildcard domains

For apps that need wildcard subdomains (e.g., *.mycompany.com), you'll need DNS-01 challenge validation instead of HTTP-01:

Go to Settings → TLS
Under your ACME issuer, configure a DNS provider (Cloudflare, Route 53, etc.)
Add your API credentials for the DNS provider
When adding the domain, enter *.mycompany.com
Vardo uses DNS-01 to validate and issue the wildcard certificate

Common setups

Apex + www redirect

Want mycompany.com and www.mycompany.com to both work?

Add both domains to your app in Vardo

Set DNS for both:

A      mycompany.com      →  203.0.113.42
CNAME  www.mycompany.com  →  mycompany.com

In the Domains tab, set one as primary — Vardo redirects the other to it automatically

"Certificate issuance failed"

Common causes:

DNS isn't pointing at your Vardo server yet
Port 80 is blocked by a firewall — Let's Encrypt needs to reach your server on port 80 for HTTP-01 validation
Rate limit hit — if you've issued too many certificates for the same domain recently, switch to the staging issuer to test

"ERR_TOO_MANY_REDIRECTS"

If you're using Cloudflare with its proxy enabled (orange cloud), set SSL mode to Full (Strict) in Cloudflare. Otherwise Cloudflare and Vardo both try to redirect HTTP to HTTPS and loop.

Next steps

Deploy your first app if you haven't already
Set up preview environments for PR-based staging domains
Configure backups for your production apps