Custom domains now work with Cloudflare and CDNsIf you use a custom domain on Offprint, SSL certificates now provision and renew correctly regardless of whether your domain is behind Cloudflare, Fastly, or any other CDN.
The problem we were asking people to live with
When you connected a custom domain, Offprint used Let's Encrypt to issue an SSL certificate. The way that worked was straightforward: Let's Encrypt would make an HTTP request to your domain, our server would respond with a verification file, and the certificate would be issued.
This fell apart the moment anything sat between your domain and our server. Cloudflare's proxy is the most common case. With the orange cloud enabled, Let's Encrypt reached Cloudflare instead of us. The verification failed. No certificate.
Our answer was to tell people to disable the proxy. That worked, but it meant giving up DDoS protection, caching, and Cloudflare's analytics.
What we changed
Instead of verifying certificates over HTTP, Offprint now verifies them through DNS. The difference matters because DNS resolution happens at a layer that CDNs and proxies do not touch.
Here is what that looks like. When you add a custom domain, Offprint generates a unique ID for your domain. You add a single DNS record, a CNAME that points _acme-challenge.yourdomain.com to that ID on our DNS zone. When it is time to issue or renew a certificate, our server creates a temporary record on our side of that chain. Let's Encrypt follows the CNAME, finds the record, and issues the certificate.
Your proxy status, CDN configuration, and firewall rules are all irrelevant to this process. The certificate just works.
What this means if you already have a custom domain
Your current certificate is still valid. Nothing breaks today. When it comes up for renewal in the next 60 days, the new method takes over.
Your domain settings page now shows a third DNS record alongside the existing ones. Adding the _acme-challenge CNAME before your next renewal ensures a smooth transition. It takes about a minute.
⛅ If you had Cloudflare's proxy disabled because we told you to, you can re-enable it.
Setting up the new ACME record
If you already have a custom domain, or you are adding one for the first time, here is how to add the SSL record.
Step 1: Find your DNS records in Offprint
Go to your publication settings and open the custom domain section. You will see three DNS records listed. The new one is the ACME record at the bottom, a CNAME starting with _acme-challenge.
Step 2: Add the CNAME in your DNS provider
Log into your DNS provider (Cloudflare, Namecheap, Google Domains, or wherever you manage DNS) and add a new CNAME record.
- Type: CNAME
- Name: _acme-challenge.blog.yourdomain.com (some providers only need _acme-challenge as the name, without your domain appended)
- Target: The value shown in your Offprint settings, something like a7x9k2m4p1n3.acme.offprint.app
💡 If you are using Cloudflare, the proxy can be enabled or disabled, up to you. This record does not receive any traffic, so it should be fine with it enabled (as it is by default).
Step 3: Re-enable Cloudflare proxy (if applicable)
If you previously disabled Cloudflare's proxy on your main domain CNAME (the one pointing to to.offprint.app), you can now turn it back on. The orange cloud is safe to enable.
Step 4: Verify in Offprint
Back in your domain settings, click the verify button. Offprint will check all three records and confirm that your domain is ready for automatic SSL provisioning.
That is it. Certificates will provision and renew on their own from here.
For the curious
We went with DNS-01 challenges exclusively rather than keeping HTTP-01 as a fallback. A fallback would reintroduce the same problem for anyone who had not added the new record yet. One consistent method is simpler to reason about and simpler to troubleshoot.
The infrastructure side was relatively clean. Our server runs Caddy, which uses CertMagic for certificate management. CertMagic already knows how to follow CNAME chains when resolving challenge domains. We added the Cloudflare DNS module, pointed it at our offprint.app DNS zone, and the rest followed from there.
We also cleaned up the domain setup flow in the dashboard. The Cloudflare-specific warnings and error messages are gone. The UI now shows three DNS records: one for routing, one for ownership verification, and one for SSL. No special-case guidance for specific providers.
One new DNS record, and it just works. That is how it should have been from the start.
Apr 14, 2026
