While building the Trust Platform, we faced a deceptively simple feature request: "Can customers use their own domains for their trust pages?" What seemed like a quick DNS configuration turned into one of our most technically fascinating challenges.
The difference between dennenboom.normnest.eu and trust.dennenboom.be isn't just cosmetic – it's about ownership, branding, and user confidence. Here's how we built a system that makes custom domains feel magical while handling the chaos behind the scenes.
The "Simple" Request That Wasn't
Custom domains sound straightforward until you realize what's actually involved:
- Dynamic host resolution without killing performance
- Automated SSL certificates that actually work
- Zero-downtime deployments for each new domain
- Bulletproof domain verification to prevent hijacking
Suddenly, that "simple" feature becomes a distributed systems problem with security, performance, and reliability requirements.
The Resolution Puzzle
Every HTTP request needs to answer: "Which customer owns this domain?"
For customer-slug.normnest.eu, it's easy – parse the URL. But customer-domain.com requires hostname-based lookup against our verified domain registry. The naive approach would hit the database on every request, which doesn't scale.
Our solution? Aggressive caching of domain-to-customer mappings with smart invalidation. The system first checks for URL parameters, then examines the Host header for custom domains. Simple fallback logic, bulletproof performance.
Domain Verification: Trust But Verify
Letting anyone claim any domain would be a security nightmare. Our verification pipeline has multiple checkpoints:
DNS Ownership: Customers configure CNAME records proving they control the domain HTTP Reachability: We verify requests actually reach our servers
Pre-validation: Check Let's Encrypt requirements before attempting certificate generation
The verification runs asynchronously with exponential backoff. DNS propagation is unpredictable – some providers take minutes, others take hours. Failed verifications include diagnostic info so customers can actually fix issues.
SSL Automation: The Hard Part
Every custom domain needs a valid SSL certificate. Manual certificate management doesn't scale, but automation is tricky.
Our SSL pipeline handles the full lifecycle:
- Discovery: Check for existing valid certificates first
- Provisioning: Automated Let's Encrypt integration
- Installation: Dynamic web server updates with zero downtime
- Renewal: Scheduled renewal with failure alerts
The challenge? Certificate generation is asynchronous, but users want real-time status. We solved this with job queues that decouple operations from user interactions.
Virtual Host Juggling
Each custom domain needs two Apache virtual hosts: HTTP (for redirects) and HTTPS (for actual content). Configuration templates get populated with customer-specific data and deployed atomically.
The system validates new configs before replacing existing ones – no broken deployments. We also detect configuration drift to catch manual changes that might conflict with automation.
Making It Feel Magical
From the customer's perspective:
- Enter domain → Get DNS instructions
- Configure DNS → Automatic verification begins
- Sit back → SSL certificate appears
- Domain works → Professional trust page live
The interface shows progress without overwhelming technical users. Status updates, DNS propagation monitoring, and clear error messages when things go wrong.
Production Reality Bites
Real-world deployment taught us about edge cases:
DNS Propagation Chaos: Different providers, different timings. Flexible timeouts essential. Rate Limits: Let's Encrypt has limits. Request batching and retry logic required. Customer Mind Changes: Robust cleanup for abandoned domains. Certificate Renewal Failures: Escalation paths to prevent service disruptions.
Security First
Custom domains introduce attack vectors:
- Domain hijacking prevention through strict verification
- HTTPS enforcement for all custom domains
- Certificate validation through proper domain ownership
- Audit logging for all domain operations
- Privilege minimization for certificate scripts
The verification process became our primary security control. No DNS proof, no certificate, no content.
Performance Under Pressure
Growing customer base meant optimization pressure:
- Database indexing for fast domain lookups
- Intelligent caching with smart invalidation
- Connection pooling for certificate operations
- Batch processing to reduce overhead
- Real-time monitoring for bottleneck identification
The Monitoring Game
Complex systems need visibility:
- Verification success rates and failure patterns
- Certificate lifecycle metrics and renewal tracking
- Performance dashboards with real-time alerts
- Capacity planning data for scaling decisions
Technical Philosophy
Our architecture choices reflected specific priorities:
Reliability over novelty – Apache and Let's Encrypt over shiny new tools Automation over process – Eliminate human error wherever possible
Transparency over magic – Comprehensive logging for troubleshooting Security by default – Multiple validation layers Graceful degradation – System works even when components fail
The Hidden Complexity
What looks like a checkbox to users required orchestrating:
- DNS validation systems
- SSL certificate lifecycle management
- Web server configuration automation
- Security verification pipelines
- Performance optimization layers
The best features are invisible – they just work.
Real Impact
This feature transformed customer adoption. Professional branded URLs instead of generic platform links. No technical expertise required for SSL setup. Automated everything while maintaining enterprise security.
The magic moment: customers enter their domain, configure DNS, and within minutes have a fully secure, branded trust page. The complexity is completely hidden.
Final Thoughts
Custom domain management taught us that the simplest user experiences often require the most complex engineering. What appears as "just DNS configuration" actually needs careful orchestration of multiple systems.
The lesson? Technical complexity should create business value, not user friction. Our custom domain system succeeds because it automates away complexity while delivering the professional presentation customers need.
Sometimes the best engineering is completely invisible – it just works, letting customers focus on building trust instead of fighting technical configuration.
