> ## Documentation Index
> Fetch the complete documentation index at: https://bunnynet-cb9733c2-support-migration.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# SSL for Custom Domains

> Enable free Let's Encrypt SSL or upload your own certificate for custom hostnames.

Bunny provides free auto-renewing SSL certificates via Let's Encrypt, or you can upload your own certificate from a commercial provider.

## Prerequisites

Your custom domain must point to Bunny using a CNAME record before SSL validation can succeed. See [Custom Hostname](/cdn/custom-hostname) for setup instructions.

<Warning>
  On Cloudflare, disable the proxy option (orange cloud icon). Proxying hides
  DNS resolution and prevents SSL validation from working.
</Warning>

## Free Let's Encrypt certificate

<Steps>
  <Step title="Add your custom hostname">
    Open your Pull Zone in the [dashboard](https://dash.bunny.net), navigate to **General** > **Hostnames**, and add your custom hostname if you haven't already.
  </Step>

  <Step title="Enable SSL">
    Find your hostname in the **Linked Hostnames** section and click **Enable**.

    <Frame>
      <img src="https://mintcdn.com/bunnynet-cb9733c2-support-migration/Z09ZI7FyatCuoSuT/images/cdn/select-hostnames-and-enable-ssl.png?fit=max&auto=format&n=Z09ZI7FyatCuoSuT&q=85&s=5594839f4cf0e5733db9ed306d528603" alt="Select hostname and enable SSL" width="2280" height="1240" data-path="images/cdn/select-hostnames-and-enable-ssl.png" />
    </Frame>
  </Step>

  <Step title="Select free certificate">
    Choose **Add Free Let's Encrypt Certificate** and click **Continue**.

    <Frame>
      <img src="https://mintcdn.com/bunnynet-cb9733c2-support-migration/7nPf1p6kEqFGPtU3/images/cdn/enable-https.png?fit=max&auto=format&n=7nPf1p6kEqFGPtU3&q=85&s=59fee99c80f129d9a8e7710912338b78" alt="Enable HTTPS with Let's Encrypt" width="760" height="536" data-path="images/cdn/enable-https.png" />
    </Frame>

    Bunny issues and installs the certificate automatically. Renewal is handled for you.
  </Step>

  <Step title="Confirm CNAME configuration">
    Verify your CNAME record is correctly configured and click **Continue** to complete validation.

    <Frame>
      <img src="https://mintcdn.com/bunnynet-cb9733c2-support-migration/7nPf1p6kEqFGPtU3/images/cdn/cname-configuration.png?fit=max&auto=format&n=7nPf1p6kEqFGPtU3&q=85&s=89134835498f2511c59124cf196c90c1" alt="CNAME configuration" width="756" height="572" data-path="images/cdn/cname-configuration.png" />
    </Frame>
  </Step>

  <Step title="Verify it's working">
    Visit your domain using `https://` and confirm the certificate is valid. You can also use [SSL Labs](https://www.ssllabs.com/ssltest/) to test.
  </Step>
</Steps>

## Custom certificate

Use this option for wildcard domains (`*.yourdomain.com`) or certificates from commercial providers.

<Steps>
  <Step title="Prepare your certificate files">
    Bunny requires Nginx-compatible format. Combine your certificate chain into a single file by placing your domain certificate at the top, followed by intermediate certificates in order. Save as a single `.pem` file (e.g., `fullchain.pem`). You'll also need your private key file.
  </Step>

  <Step title="Enable SSL">
    Open your Pull Zone, go to **Hostnames**, find your hostname, and click **Enable**.
  </Step>

  <Step title="Select custom certificate">
    Choose **Upload your own certificate** and click **Continue**.

    <Frame>
      <img src="https://mintcdn.com/bunnynet-cb9733c2-support-migration/7nPf1p6kEqFGPtU3/images/cdn/enable-custom-https.png?fit=max&auto=format&n=7nPf1p6kEqFGPtU3&q=85&s=1b17b8cc941e1e970252009e63b78850" alt="Enable custom HTTPS" width="760" height="536" data-path="images/cdn/enable-custom-https.png" />
    </Frame>
  </Step>

  <Step title="Upload the certificate">
    Paste your certificate chain and private key into the respective fields, then click **Upload**.

    <Frame>
      <img src="https://mintcdn.com/bunnynet-cb9733c2-support-migration/Z09ZI7FyatCuoSuT/images/cdn/upload-custom-ssl-certificate.png?fit=max&auto=format&n=Z09ZI7FyatCuoSuT&q=85&s=183ac99f7646cbbb221ed1e23904a8e5" alt="Upload custom SSL certificate" width="762" height="1368" data-path="images/cdn/upload-custom-ssl-certificate.png" />
    </Frame>

    Wait for the certificate to propagate across the network.
  </Step>
</Steps>

<Note>
  Let's Encrypt wildcard certificates are not supported through Bunny's
  automatic issuance. For wildcards, generate the certificate yourself (e.g.,
  using certbot with DNS validation) and upload it manually.
</Note>

## Troubleshooting

### SSL validation fails

Common causes:

* **DNS not propagated**: Use [dnschecker.org](https://dnschecker.org) to confirm your CNAME is resolving globally. After updating a DNS record, wait a few minutes before requesting the certificate so the change can propagate, otherwise our servers may read a stale cached record
* **Incorrect CNAME record**: Verify with a [DNS lookup tool](https://toolbox.googleapps.com/apps/dig/) that your hostname returns a CNAME pointing to the exact hostname of your Pull Zone. If you use [Bunny DNS](/dns), point your custom domain's CNAME to your `b-cdn.net` Pull Zone hostname
* **Cloudflare proxy enabled**: Disable the orange cloud icon on your CNAME record
* **Geolocation blocks**: Let's Encrypt validates from multiple regions (including USA and Europe). If you've blocked these regions via Traffic Manager or Edge Rules, validation will fail
* **CAA records**: If your domain has CAA DNS records, add `letsencrypt.org` to the allowed issuers, or remove the CAA records to allow any issuer

### Rate limiting

Requesting certificates too many times in a short period can trigger Let's Encrypt rate limits (up to one week). Be patient when troubleshooting DNS issues before retrying. If you need SSL immediately while rate-limited, upload a [custom certificate](#custom-certificate) from another CA.

### Debugging a failed request

When a certificate request fails via the dashboard or API, the returned error includes an ACME challenge URL (like `https://acme-v02.api.letsencrypt.org/acme/chall/...`). Open it to see the exact reason the issuance failed. If you're still stuck, contact [support@bunny.net](mailto:support@bunny.net).

## Root domains

CNAME records aren't allowed at the apex level (`yourdomain.com`) by most DNS providers. You have two options:

1. Use a subdomain like `www.yourdomain.com` with a CNAME, then redirect the apex to it
2. Use [Bunny DNS](/dns) with [CDN Acceleration](/cdn/cdn-acceleration), which handles this automatically