Skip to content

OrOrbit is in pre-launch. Downloads, accounts, and sponsorship open at launch.

domain dns cloudflare namecheap lets-encrypt le http-01 port-forward certificate tls https byo

Custom Domain Setup

Use your own domain with automatic HTTPS from Let's Encrypt. Decision factors, the four-step shape, and click-by-click setup for Cloudflare and Namecheap DNS.

intermediate ⏱ 30 min 🌐 Connectivity Updated 2026-05-08

Pair a domain you already own — like chat.example.com — with automatic HTTPS from Let’s Encrypt. Your server is reachable via your address, never appears in the Pulsar directory, and renews itself.

🤔 Pulsar subdomain or my own domain — which should I pick?

Most people should pick the Pulsar subdomain — it’s free, takes one field, and HTTPS is automatic. Bring your own domain when one of these fits:

  • You already own a domain and want to keep using it.
  • You’d rather not have your server listed in the Pulsar directory.
  • You’re on an enterprise or self-hosted setup where DNS is non-negotiable.

What You’ll Need

  • A running OrOrbit server with the admin panel open
  • A domain you own (e.g. example.com) and access to its DNS
  • Access to your router (for port forwarding)
  • The server’s public IP, shown in Admin Panel → Network Diagnostics

The Four-Step Shape

Regardless of provider, every BYO setup follows the same four steps:

  1. Point a DNS A record at your server’s public IP (e.g. chat.example.com → 203.0.113.5).
  2. Forward TCP 80 and 443 from your router to your server’s local IP. Port 443 is the HTTPS port; port 80 is only used during certificate issuance and renewal.
  3. Save the domain in the admin panel — pick Auto TLS (Let’s Encrypt), enter email + domain, click Save & Provision Certificate.
  4. Wait 30–60 seconds. OrOrbit verifies DNS, completes the HTTP-01 challenge, hot-swaps the new cert into the running HTTPS server. Renewal is automatic from there.

⚠️ Port 80 won't work for me

CGNAT or an ISP that blocks inbound 80 makes the HTTP-01 path impossible. Skip to Public Access for TLS_MODE=custom with a reverse proxy or DNS-01 issuance.

Provider Walkthrough

Privacy: Opting Out of the Pulsar Directory

Pulsar discovery is opt-in. If you skip Pulsar registration entirely and connect over your own domain:

  • Your server is not listed in the public Pulsar directory.
  • No slug heartbeat is sent to Pulsar.
  • No metadata about your server (name, IP, member counts) is published anywhere.

Friends connect by typing your domain into the OrOrbit client directly. The only third parties that see traffic are the ones you’ve already chosen: your DNS provider for the lookup, and Let’s Encrypt during certificate issuance and renewal.

Renewal

Let’s Encrypt certificates last 90 days. OrOrbit renews automatically:

  • Daily background check at the cron interval.
  • Renews when fewer than 30 days remain.
  • Hot-swaps the new cert into the running HTTPS server — no restart, no dropped connections.

Watch status any time at Admin Panel → Security → TLS. The panel surfaces the issuer, expiry date, days remaining, and any last error from a failed renewal attempt. If renewal fails — port 80 stopped being reachable, DNS changed, Let’s Encrypt rate limit — a critical notification fires when fewer than 14 days remain.

Optional: Cloudflare Proxy After Issuance

After your certificate is working, you can turn on Cloudflare’s proxy (orange cloud) for DDoS protection and IP hiding. Edit your A record and toggle proxy ON.

⚠️ Warning

With the proxy on, Let’s Encrypt HTTP-01 renewals will fail. Either turn it off temporarily for renewals (~every 60 days), or use Cloudflare Origin Server certificates instead.

Dynamic IPs (When Your Public IP Changes)

Most home connections get a new public IP periodically. When it changes, your DNS record becomes stale and the cert renewal fails the next time around.

Cloudflare: set up a Cloudflare Dynamic DNS script (search “Cloudflare DDNS”) that hits the API to auto-update your A record. Or upgrade to a static IP from your ISP.

Namecheap: built-in Dynamic DNS support.

1

Enable DDNS in Namecheap

  1. Go to your domain’s Advanced DNS tab.
  2. Scroll to Dynamic DNS and toggle it ON.
  3. Note the Dynamic DNS Password shown.
2

Set Up a DDNS Client

Use a DDNS client like Inadyn or Namecheap’s own Dynamic DNS client .

Alternatively, ask your ISP for a static IP (sometimes free, sometimes ~$5/month).

Troubleshooting

DNS not resolving — propagation can take 5–30 minutes (sometimes longer). Verify with nslookup yourdomain.com or dnschecker.org. Make sure the record points to your public IP, not a LAN IP. With Cloudflare, ensure the proxy cloud is gray (DNS only) during issuance.

Port 80 blocked — ISP may block it, another app may use it, or your OS firewall may block it. Check all three. If it’s truly unreachable, see Public Access for the TLS_MODE=custom fallback.

Certificate failed — usually port 80 isn’t reachable from outside. Verify port forwarding and test from a different network (phone on mobile data).

Works locally but not from outside — hairpin NAT limitation on some routers (accessing your own public IP from inside your network). Test from a phone on mobile data; if it works there, the cert flow will work too.

CGNAT detected — the admin panel surfaces a CGNAT warning under Network Diagnostics. Port forwarding can’t help. Use Public Access instead, or ask your ISP for a dedicated IP.

“Rate limited by Let’s Encrypt” — too many failed issuance attempts in a short window. The admin panel surfaces the exact retry-after timestamp; usually a few hours. Don’t keep clicking — the rate limit is per-domain.

Admin panel still says self-signed — refresh the panel. The HTTPS hot-swap doesn’t break the connection but the status banner only refetches every 30 seconds.

What's next?

IP Masking — Hide Your Server IP