--- title: "Understanding a managed CNAME setup" date: "2024-02-14T06:18:38+00:00" summary: "Discover how a managed CNAME setup with Acquia Edge simplifies domain management, enhances security, and improves performance. Learn to configure custom hostnames, validate certificates, and set up auto-renewal for seamless website protection." image: type: "page" url: "/acquia-cloud-platform/add-ons/edge/understanding-managed-cname-setup" id: "84bef3b9-56f2-41db-b86c-5a142e98769f" --- In a managed CNAME setup, you get an Acquia-managed domain that acts as the DNS target for your hostnames. This domain takes the form `[codebase].acquiaedge.net` where `[codebase]` is the name of the codebase for your application protected by Acquia Edge. You can use any hostnames specified as the Fully-Qualified Domain Name for any domains served by your application. Note Managed CNAME setups are available only to new customers who started with Acquia Edge after January 1, 2021. To reference setups for pre-existing deployments, see [Getting started with Acquia Edge powered by Cloudflare](/acquia-cloud-platform/add-ons/edge/edge-cloudflare/start). Benefits of a managed CNAME setup --------------------------------- * **Proxy of “bare”/apex domains**: DNS RFCs prohibit the use of a CNAME at the zone apex. Managed CNAME setups provide a dedicated IP pair that you can use to protect your bare domains. To retrieve these addresses, run a DNS query against `[codebase].acquiaedge.net` for the specific domain that Acquia supplied to you for your application. * **Simplified support for “vanity” domains and redirects**: You can manage any hostnames for your application in a single configuration, even if they do not share a parent in the DNS namespace. DNS settings with a managed CNAME setup --------------------------------------- The **DNS** tab is not used to manage any hostnames that you can use with Acquia Edge. You will see several Acquia-defined records resolving to your application. Note Do not modify any records defined on the **DNS** tab unless the elastic IP addresses for your application change. Adding custom hostnames ----------------------- Custom hostnames are third-party hostnames that CNAME to your domain to receive performance and security benefits of Acquia Edge powered by Cloudflare. 1. Confirm that the Fallback Origin status on **SSL/TLS - Custom Hostnames** is ACTIVE so that the system starts populating custom hostnames into your Cloudflare account. Fallback Origin acts as the default origin server for your hostnames, such as fallback.yoursite.acquiaedge.net. Fallback Origin is a proxied DNS record in your zone. Important If Fallback Origin is not set, contact your Account Manager or Acquia Support to have it set. ![Edge SSL TLS](https://acquia.widen.net/content/fcyufl766k/jpeg/edge_SSL-TLS.jpeg?position=c&color=ffffffff&quality=80&u=u1mnox) 2. Click **Add Custom Hostname**. The system displays the **Add Custom Hostname** section. ![edge_Custom-SSL-TLS.jpeg](https://acquia.widen.net/content/wuxrkmpmmn/jpeg/edge_Custom-SSL-TLS.jpeg?position=c&color=ffffffff&quality=80&u=u1mnox) 3. In **Custom Hostname**, enter the domain for which you are creating the custom hostname. 4. In **Minimum TLS version**, select _TLS 1.2_. Note The minimum TLS version is defined based on the hostname. 5. In **Certificate type**, select **Provided by Cloudflare**. You can also use a custom certificate by selecting **Custom certificate**. Your custom certificate does not auto-renew so you are responsible for managing it. Acquia Edge only accepts the following types of publicly-trusted certificates: * SHA256WithRSA * SHA1WithRSA * ECDSAWithSHA256 If you attempt to upload a self-signed certificate or a certificate of another type, it is rejected. 6. In **SSL certificate authority**, select **Google Trust Services** or **Let’s Encrypt**. Acquia recommends you to use **Google Trust Services** or **Let’s Encrypt** instead of **DigiCert**. These certificates only last upto 90 days. However, they can be auto-renewed. For information about how to configure them to auto-renew, see [Setting your SSL Certificates to Auto-Renew](#set-ssl-autorenew). 7. In **Certificate validation method**, select **TXT Validation**. Acquia recommends you to select **TXT Validation** for initial setup. However, you can also select **HTML Validation**. 8. Select the **Enable wildcard** checkbox. Acquia does not recommend Wildcard certificates as they cannot be renewed automatically. The **Google Trust Services** and **Let’s Encrypt** certificates match hostnames that you have entered. 9. In **Custom origin server**, select **Default origin server**. Acquia recommends you to select **Default origin server** because in most cases your pair of Acquia dedicated load balancers is shared across your Acquia hosting environments. However, you can also select **Custom origin server** and specify its value. 10. Click **Add Custom Hostname**. Pre-validating certificates --------------------------- If you use the TXT validation method, your certificates are issued before modifying DNS for any hostnames. Acquia does not recommend you to use email validation unless you are a publicly listed administrator or webmaster in WHOIS for your domains. After you create the custom hostname with TXT validation, Cloudflare generates two TXT records that must be added to your Authoritative DNS configuration. 1. Add the TXT records through your Authoritative DNS provider. 2. Verify that the **Certificate status** and **Hostname status** columns on the Custom Hostnames page display the status as **Active**. Tip Ensure that the TTL on your DNS records is as low as 5 minutes, so that this change propagates faster. It takes Cloudflare longer to validate your TXT Records depending on how long ago they were created. ![edge_custom-hostname.jpeg](https://acquia.widen.net/content/abdnpvuozu/jpeg/edge_custom-hostname.jpeg?position=c&color=ffffffff&quality=80&u=u1mnox) ![Edge Certificate](https://acquia.widen.net/content/g0nbwi9eii/jpeg/edge_certificate.jpeg?position=c&color=ffffffff&quality=80&u=u1mnox) Note The Edge Certificates section of the SSL/TLS tab is not used to view or manage any certificates for your domain in a managed CNAME setup. Launching a domain with Cloudflare for SaaS ------------------------------------------- Prior to launch, Acquia recommends testing all DNS and SSL configurations. To launch a domain using Cloudflare for SaaS (Managed CNAME for Acquia Edge), complete the following steps: 1. Plan your CNAME records for launch. In this step, you do not update your DNS, but instead confirm that you have the correct CNAME records for your DNS update on your scheduled launch date. 1. For each hostname, create a record in your authoritative DNS resolving to the acquiaedge.net domain for your application For example, for the hostname www.example.com with the codebase mysite: Type: CNAME Name: www.example.com Target: mysite.acquiaedge.net 2. For any bare domains, you can use a record resolving the IP addresses returned when performing a DNS lookup against the \[codebase\].acquiaedge.net domain corresponding to your application. Type: A Name: example.com Target: 192.0.0.1 2. Sign in to your DNS provider. 3. Add the planned records for your desired domain to your authoritative DNS provider. 4. Verify whether the traffic is going through Acquia Edge. Setting your SSL Certificates to Auto-Renew ------------------------------------------- After activating your hostnames you will want to ensure your Let’s Encrypt or Google Trust Services certificates will auto-renew. You can do this by changing the Validation method from TXT to HTTP post-activation. Wildcard certificates cannot be set to auto-renew. (HTTP Validation is not possible with wildcard certificates.) Note: Make sure the domain is pointing to CF. Usually it will have the CNAME record attached or it is pointing to a Cloudflare IP Address 1. Select an activated Custom Hostname and click **Edit**. 2. Change the Certificate validation method to **HTTP Validation**. 3. Click **Save**.