# How to Get a Free SSL Certificate for Your Cloud App
In 2026, an HTTP-only website is an immediate trust signal problem. Browsers flag unencrypted sites with "Not Secure" warnings, search engines penalize them in rankings, and users rightly distrust them. SSL certificates, once expensive and complex to manage, are now free and largely automatic.
Here is how SSL works on PandaStack and how to set it up for custom domains.
1. Why SSL Matters Beyond Security
SEO: Google has used HTTPS as a ranking signal since 2014. HTTP sites rank lower than equivalent HTTPS sites.
Browser warnings: Chrome, Firefox, and Safari all display prominent warnings for HTTP sites, especially on pages with forms.
Performance: HTTP/2 (which significantly improves load times) requires HTTPS. PandaStack enables HTTP/2 automatically on all HTTPS deployments.
User trust: The padlock icon in the browser is a baseline trust indicator. Without it, conversion rates suffer.
2. Automatic SSL on PandaStack Subdomains
Every PandaStack deployment on a *.pandastack.io subdomain gets a wildcard SSL certificate automatically. No configuration required — your app is HTTPS from the first deploy.
Verify:
curl -I https://your-app.pandastack.io
# HTTP/2 200
# strict-transport-security: max-age=315360003. Custom Domain SSL Setup
For custom domains (e.g., app.yourdomain.com), SSL is still automatic — but you need to configure your DNS first.
Step 1: Add Your Custom Domain in PandaStack
- 1Go to your deployment in [dashboard.pandastack.io](https://dashboard.pandastack.io)
- 2Click Domains → Add Domain
- 3Enter your domain name (e.g.,
app.yourdomain.com) - 4PandaStack shows you a CNAME value to configure
Step 2: Configure DNS
In your DNS provider (Cloudflare, Namecheap, Route 53, etc.), add:
| Type | Name | Value |
|---|---|---|
| CNAME | app | your-app.pandastack.io |
For apex domains (yourdomain.com), use an A record or ALIAS record pointing to the PandaStack IP addresses shown in the dashboard.
Step 3: SSL Certificate Issuance
PandaStack monitors DNS propagation and automatically requests a Let's Encrypt certificate once your domain points to PandaStack. This typically takes:
- A few minutes if DNS propagates quickly (Cloudflare)
- Up to 48 hours for some DNS providers (rare)
You can track certificate status in the domain settings page.
Step 4: Verify Your SSL Certificate
# Check certificate details
curl -I https://app.yourdomain.com
# Verify SSL grade (use an online tool like SSL Labs)
# Or from the terminal:
openssl s_client -connect app.yourdomain.com:443 -servername app.yourdomain.com < /dev/null 2>/dev/null | openssl x509 -noout -dates4. HTTPS Redirect (Automatic)
PandaStack redirects all HTTP traffic to HTTPS by default. Any request to http://your-app.pandastack.io is automatically redirected to https://your-app.pandastack.io with a 301 redirect.
This means you do not need to handle the redirect in your application code.
5. Certificate Renewal
Let's Encrypt certificates expire after 90 days. PandaStack renews them automatically, typically 30 days before expiry. You do not need to take any action.
You can verify renewal is working by checking the certificate expiry date:
openssl s_client -connect your-app.pandastack.io:443 < /dev/null 2>/dev/null | openssl x509 -noout -enddate6. Multiple Domains, One Deployment
You can add multiple custom domains to a single PandaStack deployment. Each domain gets its own SSL certificate. For example:
www.yourdomain.com→ your deploymentapp.yourdomain.com→ same deploymentapi.yourdomain.com→ same deployment (if it is an API)
Each CNAME points to the same PandaStack hostname. SSL is issued for each domain independently.
Full docs: [docs.pandastack.io](https://docs.pandastack.io).