cnames.dev / compare / caddy on demand tls
cnames.dev vs self-hosting Caddy on-demand TLS
Self-hosting Caddy on-demand TLS is a great option — here's an honest total-cost-of-ownership breakdown versus a managed API.
Caddy's on-demand TLS is genuinely one of the best pieces of infrastructure software around, and cnames.dev's own edge is Caddy-based. So this isn't "buy vs a bad option" — it's "operate it yourself vs let someone operate it." If you have the ops capacity and want total control, self-hosting is legitimate. Here's what you take on when you do.
What you own when you self-host
- ACME rate limits. Let's Encrypt caps new orders per account per window. At hundreds or thousands of domains you need account pooling and backoff, or a single burst (a bulk import, a retry loop) stalls issuance for everyone.
- Multi-node challenge solving. Behind a load balancer, an HTTP-01 challenge can hit any node, but only the node that started the order holds the token. You need shared storage or a shared responder so any node can answer.
- Cert storage & sync. Certificates must be shared across nodes and survive restarts — shared storage, backups, and careful permissions.
- Anycast & DDoS. A single region is a single point of failure; real coverage means anycast and absorbing attack traffic.
- Isolation. Stopping one tenant's failing domain from burning your shared issuance budget.
- Monitoring. Cert expiry, issuance failures, and renewal alerts — the boring work that matters at 3am.
TCO comparison
| Dimension | Self-hosted Caddy | cnames.dev |
|---|---|---|
| Software cost | Free (open source) | Free tier, then ~$0.05/domain |
| Servers + anycast + LB | You provision & pay | Included |
| ACME rate-limit management | You build it | Account pool, managed |
| Multi-node challenge solving | You build it | Managed |
| Per-tenant isolation | You build it | Built-in |
| Renewal monitoring & alerts | You build it | Included |
| Engineering time | Ongoing | An API call |
When self-hosting is the right call
If custom domains are core to your product, you have platform engineers, and you want full control of the edge, self-hosting Caddy is a sound choice — you'll build the pooling, challenge solving, and monitoring once and own it. Plenty of good teams do exactly this.
When to buy instead
If custom domains are a feature rather than your product, the engineering time to build and operatethe surrounding system usually costs more than the service. cnames.dev is that system, managed — the same Caddy foundation plus the account pool, cross-node challenges, control plane, and monitoring — behind one API call per domain.
Try cnames.dev. One API call per domain, SSL and edge routing included — free for 25 domains. Start free · Docs · All comparisons
Frequently asked questions
Can I just self-host Caddy with on-demand TLS?
Yes — Caddy's on-demand TLS is excellent and is exactly what a managed service is built on. Self-hosting makes sense when you have the ops capacity and want full control. The trade-off is that you own cert rate-limit management, multi-node challenge solving, anycast/DDoS, storage, and monitoring.
What actually gets hard at scale?
Let's Encrypt rate limits (per-account order limits), solving ACME challenges consistently across multiple nodes behind a load balancer, sharing cert storage, avoiding one bad domain from burning your issuance budget, and keeping the whole thing highly available.
Is cnames.dev just hosted Caddy?
The edge is Caddy-based, yes. The value is everything around it: an ACME account pool for isolation, cross-node challenge solving, a control-plane API and dashboard, verification, and renewal monitoring — so you don't operate it.
Can I start self-hosted and migrate later?
Yes. Because both serve the same domains over standard DNS, you can move gradually by DNS with no downtime.