Skip to content

feat: add ALIAS_DOMAIN / SAN support for all DNS providers#3

Closed
cl4wb0t wants to merge 2 commits intomainfrom
feat/alias-domain-san
Closed

feat: add ALIAS_DOMAIN / SAN support for all DNS providers#3
cl4wb0t wants to merge 2 commits intomainfrom
feat/alias-domain-san

Conversation

@cl4wb0t
Copy link
Copy Markdown
Owner

@cl4wb0t cl4wb0t commented Mar 23, 2026

Summary

Adds ALIAS_DOMAIN environment variable support to dstack-ingress. When set:

  • certbot issues a SAN certificate covering both DOMAIN and ALIAS_DOMAIN (via --cert-name + --expand -d)
  • nginx server_name includes ALIAS_DOMAIN so requests arriving via either hostname are accepted

This works with all DNS providers (Cloudflare, Linode, Namecheap, Route53) — no provider-specific code needed.

New Environment Variable

Variable Required Description
ALIAS_DOMAIN No Additional domain included as a SAN on the TLS cert and in nginx server_name

Files Changed

File Change
scripts/certman.py Add --cert-name, --expand -d alias_domain to certbot command
scripts/entrypoint.sh Sanitize ALIAS_DOMAIN, include in nginx server_name
DNS_PROVIDERS.md Document ALIAS_DOMAIN in optional variables
README.md Document ALIAS_DOMAIN env var

Test plan

  • Set ALIAS_DOMAIN=alias.example.com — verify cert has SAN for both domains
  • Verify nginx server_name includes both domains
  • Without ALIAS_DOMAIN — verify behavior identical to before
  • Test with Cloudflare and Route53 providers

Cherry-picked from Dstack-TEE/dstack-examples#83
Tracks: CPL-139

🤖 Generated with Claude Code

@claude
feat: add ALIAS_DOMAIN / SAN support for all DNS providers
818ead1 
When ALIAS_DOMAIN is set:
- certbot issues a SAN cert covering both DOMAIN and ALIAS_DOMAIN
- nginx server_name includes ALIAS_DOMAIN
- Works with all DNS providers (Cloudflare, Linode, Namecheap, Route53)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@cl4wb0t cl4wb0t mentioned this pull request Mar 23, 2026
Closed
5 tasks
@claude
fix: only add --cert-name when ALIAS_DOMAIN requires it
d1eb9c3 
--cert-name is only needed when --expand adds a SAN, to prevent
certbot from creating a suffixed cert directory. Without ALIAS_DOMAIN
certbot already names the cert after the -d domain by default.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@cl4wb0t
Copy link
Copy Markdown
Owner Author

cl4wb0t commented Mar 23, 2026

Superseded by upstream Dstack-TEE#86

Note: upstream PR Dstack-TEE#86 has the alias_domain / --cert-name / --expand block outside the if action == "certonly": guard, so those flags would also be appended to certbot renew commands (which don't accept them). This PR had them correctly scoped inside the certonly branch.

@cl4wb0t cl4wb0t closed this Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cl4wb0t