Thanks to our Let’s Encrypt integration, enabling SSL for your custom domains on Bunny is quick and simple. You can choose between using a free auto-renewing certificate or uploading your own certificate.
Before You Start: CNAME Setup Is Required
To enable SSL for your custom domain, the domain must first point to Bunny using a CNAME record.
How to set it up:
- Go to your DNS provider (e.g., Cloudflare, GoDaddy, Namecheap).
- Add a CNAME record for your domain pointing to your Pull Zone hostname (e.g., yourzone.b-cdn.net).
Example:
Type |
Hostname |
Points to |
---|---|---|
CNAME | cdn.example.com | yourzone.b-cdn.net |
Once your CNAME is active, you can continue to the SSL configuration.
Special Considerations
- Using Cloudflare?
Make sure the “Proxy” (orange cloud icon) option is disabled for your CNAME record. When enabled, it hides the actual DNS resolution, which can prevent SSL validation from working correctly.
- Using Bunny DNS?
Instead of setting everything up manually, consider enabling the “CDN Acceleration” feature. This will automatically handle the CNAME and SSL setup for you. Learn more about this option here: What is CDN Acceleration and how to enable it?
- Wildcard Domain SSL
Let’s Encrypt wildcard certificates are not supported on Bunny at this time.
To use SSL with a wildcard domain (e.g., *.yourdomain.com), you’ll need to upload a custom SSL certificate, either one you’ve generated manually or obtained through a paid provider.
Option 1: Use Bunny Free SSL Certificate
- Go to CDN → Your Pull Zone → Hostnames:
- Click “Enable” next to the domain:
- In the popup, choose “Get a free Certificate”:
- Click Continue:
Notes:
- Bunny will automatically issue and install an SSL certificate for you, renewing it regularly, with no maintenance needed.
- The CNAME must be properly set before SSL activation. Otherwise, certificate validation will fail.
- Changes to your DNS settings, security configurations (such as firewalls), or other related settings can impact SSL certificate renewals. Bunny will typically notify you if a renewal attempt fails, so you can take action promptly.
Option 2: Use Your Own SSL Certificate
If you prefer to use a custom SSL certificate (e.g., from a commercial provider), follow these steps:
Step 1: Generate Private Key and CSR
On Linux/macOS, run:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain_com.key -out yourdomain_com.csr
This creates two files:
- yourdomain_com.key → your private key (keep safe)
- yourdomain_com.csr → certificate signing request
Step 2: Purchase the Certificate
Choose a provider like ssls.com and submit the .csr file when requested. After verification, they will email you the certificate files.
Step 3: Combine the Certificate Chain
Bunny requires the SSL certificate to follow an Nginx-compatible format, which means the entire certificate chain, including the primary certificate and any intermediate/authority certificates, must be combined into a single file.
You’ll typically receive:
- Your domain’s SSL certificate
- One or more intermediate or authority certificates
How to combine them:
- Place the domain certificate content at the top of the file.
- Paste the intermediate certificates directly below it, in the order provided.
- Save the result as a single file (e.g., fullchain.pem).
Important: The order matters; your domain certificate must appear first, followed by the intermediaries.
Step 4: Upload to Bunny
- Go to your Pull Zone → Hostnames section.
- Select “Upload your own”
- Upload:
- Your combined certificate file
- The private key (yourdomain_com.key)
- Click Upload and wait a few moments for the changes to propagate.
Reference video:
Test Your Setup
Once everything is configured, visit your custom domain using https:// and verify that the SSL certificate is active and valid.
You can also use tools like SSL Labs Test to confirm everything is working correctly.
Troubleshooting SSL Installation Errors
When an SSL installation fails, the error message usually includes a link (https://acme-v02.api.letsencrypt.org/acme/chall/RAMDOMCODE
) that provides more details about the issue. Open the link in a new tab and review the details provided carefully. Example:
In this case, the error occurred because there were no CAA records allowing Let’s Encrypt specifically.
Common causes of SSL installation failures:
-
CNAME not configured correctly:
Ensure your custom domain is using a valid CNAME that points to the correct Pull Zone hostname.
-
Certificate and key mismatch:
Double-check that the certificate and private key files are in the correct format and belong to the same domain.
-
DNS propagation delay:
If you’ve recently updated your DNS records, they may not be fully propagated yet. This can lead to temporary validation failures.
→ Use a tool like dnschecker.org to confirm global DNS resolution.
-
Geolocation blocks and Let’s Encrypt validation:
Let’s Encrypt uses a multi-perspective validation process, performing checks from servers in various regions.
→ If you’ve blocked access from countries like the USA or regions in Europe using Traffic Manager, Edge Rules, or other security settings, the SSL validation may fail.
Learn more here: Let’s Encrypt Multi-Perspective Validation
-
CAA (Certificate Authority Authorization) records:
If your domain has a CAA DNS record, it must explicitly allow Let’s Encrypt to issue certificates.
→ Always verify the CAA configuration on your root domain, not just subdomains.
-
DNSSEC conflicts:
When DNSSEC is enabled, it’s often required to include a CAA record that explicitly authorizes Let’s Encrypt to issue certificates for your domain.
Frequently Asked Questions (FAQ)
Does Bunny provide a static IP or an A record to point to?
No. Bunny does not support static IPs or A (address) records for routing traffic to our CDN.
To manually connect your domain to Bunny, you must use a CNAME record, which ensures flexibility, performance, and automatic routing through our edge network.
How do I point my root domain (domain.com
) to Bunny?
Most DNS providers do not allow CNAME records at the root (apex) level of a domain due to DNS standards defined in RFCs. Because of this limitation, you have a few options:
- As an alternative, use a subdomain like
www.domain.com
with a CNAME pointing to your Bunny Pull Zone (e.g., yourzone.b-cdn.net). Then, set up a redirect from the apex domain to the www version using a rule on your DNS provider or web server. - Use Bunny as your DNS provider, which allows you to enable CDN Acceleration. This acts as a full proxy for your root domain and bypasses the CNAME restriction.