Add cname flattening docs

[adityaoberai]

What does this PR do?

Adds docs to explain how to add apex domains with CNAME flattening

Test Plan

Visit /docs/products/sites/domains

Related PRs and Issues

No

Have you read the Contributing Guidelines on issues?

Yes

Summary by CodeRabbit

• Documentation
  • Clarified apex domain setup by splitting NS-record and CNAME-flattening methods, with step-by-step guidance and rationale.
  • Added detailed instructions for records (CNAME/ALIAS/ANAME, CAA) and DNS propagation notes.
  • Included new light/dark visual assets to illustrate both flows.

[coderabbitai]

Walkthrough

Adds four image assets to the optimize cache (light and dark variants for add-domain-cname and add-domain-ns) and updates the apex domain documentation page. The doc edits clarify NS-based instructions, add NS-specific UI guidance and a propagation note, and introduce a new section describing CNAME flattening (steps, record types, and CAA guidance) as an alternative for adding an apex domain. The narrative is reorganized to separate the NS-record and CNAME-flattening approaches.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (30 files): ⚔️ .optimize-cache.json (content) ⚔️ server/sitemap.js (content) ⚔️ src/hooks.server.ts (content) ⚔️ src/lib/utils/canonical.ts (content) ⚔️ src/routes/docs/advanced/security/encryption/+page.markdoc (content) ⚔️ src/routes/docs/products/databases/csv-imports/+page.markdoc (content) ⚔️ src/routes/docs/products/databases/legacy/type-generation/+page.markdoc (content) ⚔️ src/routes/docs/products/databases/tables/+page.markdoc (content) ⚔️ src/routes/docs/products/databases/type-generation/+page.markdoc (content) ⚔️ src/routes/docs/products/sites/domains/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/dart/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/deno/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/dotnet/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/go/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/kotlin/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/node/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/php/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/python/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/ruby/+page.markdoc (content) ⚔️ src/routes/docs/quick-starts/swift/+page.markdoc (content) ⚔️ src/routes/docs/tooling/command-line/tables/+page.markdoc (content) ⚔️ src/routes/docs/tutorials/android/step-6/+page.markdoc (content) ⚔️ src/routes/docs/tutorials/nextjs/step-6/+page.markdoc (content) ⚔️ src/routes/docs/tutorials/nuxt/step-6/+page.markdoc (content) ⚔️ src/routes/docs/tutorials/react-native/step-6/+page.markdoc (content) ⚔️ src/routes/docs/tutorials/react/step-6/+page.markdoc (content) ⚔️ src/routes/docs/tutorials/refine/step-5/+page.markdoc (content) ⚔️ src/routes/docs/tutorials/sveltekit/step-6/+page.markdoc (content) ⚔️ src/routes/docs/tutorials/vue/step-6/+page.markdoc (content) ⚔️ src/routes/robots.txt/+server.ts (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Add cname flattening docs' accurately and concisely describes the main objective: adding documentation for CNAME flattening as an alternative method for adding apex domains.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-cname-flattening-docs

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch add-cname-flattening-docs
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

src/routes/docs/products/sites/domains/+page.markdoc (1)

91-100: Steps 5 and 7 may confuse users about the record type.

Step 5 says to copy the CNAME record value, but step 7 instructs the user to create an "ALIAS, ANAME, or CNAME record." A user whose provider uses ALIAS/ANAME records might be confused by step 5 calling it a "CNAME record" when they won't actually create a CNAME. Consider rewording step 5 to be record-type-agnostic, e.g., "Copy the hostname provided by Appwrite (appwrite.network)."

Additionally, steps 7 and 8 describe a single DNS action (create a record pointing to the hostname) split across two steps — merging them would be more concise.

📝 Suggested rewording

-5. Copy the **CNAME** record provided by Appwrite (`appwrite.network`).
-6. Copy the **CAA** record provided by Appwrite (`0 issue "certainly.com"`).
-7. In your DNS provider's settings, create an ALIAS, ANAME, or CNAME record at the apex (depending on what your provider supports).
-8. Point the record to the Appwrite hostname provided in the console.
-9. Add the CAA record to your DNS provider's settings, also pointed at the apex.
-10. Return to the Site settings and wait for verification status.
+5. Copy the **hostname** provided by Appwrite (`appwrite.network`).
+6. Copy the **CAA** record value provided by Appwrite (`0 issue "certainly.com"`).
+7. In your DNS provider's settings, create an ALIAS, ANAME, or CNAME record at the apex (depending on what your provider supports) and point it to the Appwrite hostname (`appwrite.network`).
+8. Add a **CAA** record to your DNS settings at the apex with the value `0 issue "certainly.com"`.
+9. Return to the Site settings and wait for verification status.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/routes/docs/products/sites/domains/`+page.markdoc:
- Line 96: The CAA record example currently shows the wrong CA; locate the line
containing the CAA example string '0 issue "certainly.com"' (the list item that
starts "Copy the **CAA** record") and change its value to Let's Encrypt by
replacing '0 issue "certainly.com"' with '0 issue "letsencrypt.org"'; ensure the
surrounding markup and emphasis (the "**CAA** record" list item) remain
unchanged.

🧹 Nitpick comments (1)

src/routes/docs/products/sites/domains/+page.markdoc (1)

91-100: Steps 5 and 8 overlap; consider consolidating.

Step 5 says to copy the CNAME record (appwrite.network), and step 8 says to "point the record to the Appwrite hostname provided in the console." These describe the same target value but are split across two steps, which may confuse readers. Consider merging them so step 7 reads something like: "Create an ALIAS/ANAME/CNAME record at the apex pointed to appwrite.network" and remove step 8.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

certainly.com certificate authority CAA record

💡 Result:

To allow Certainly (Fastly’s CA) to issue TLS certificates for your domain, add a DNS CAA record that authorizes the CA identifier:

• CAA value for Certainly: certainly.com (this is the recognized CAA identifier for Certainly LLC) [1][2]

Example records:

; Allow Certainly to issue certificates for the domain
example.com.  CAA 0 issue "certainly.com"

; (Optional) Allow Certainly to issue wildcard certificates
example.com.  CAA 0 issuewild "certainly.com"

Sources: Fastly’s TLS documentation lists certainly.com as the required CAA value for Certainly [2], and the CCADB “All CAA Identifiers” report lists certainly.com for Certainly LLC [1].

---

🌐 Web query:

Appwrite custom domain TLS certificate authority

💡 Result:

Appwrite’s TLS certificates for custom domains are automatically issued by Let’s Encrypt (the non-profit CA operated by ISRG), using the ACME flow (notably the HTTP-01 challenge for self-hosted setups). [1], [2]

Sources: Appwrite TLS docs [1] and TLS certificates (self-hosting) docs [2].

---

🌐 Web query:

"certainly.com" CA certificate

💡 Result:

Certainly (at certainly.com) is Fastly’s publicly trusted TLS Certification Authority (CA). (fastly.com)

The CA’s root certificates referenced in Mozilla’s public root-inclusion discussion are: (groups.google.com)

• Certainly Root R1 (websites trust bit) — crt.sh by SHA-256: 77B82CD8644C4305F7ACC5CB156B45675004033D51C60C6202A8E0C33467D3A0 (groups.google.com)
• Certainly Root E1 (websites trust bit) — crt.sh by SHA-256: B4585F22E4AC756A4E8612A1361C5D9D031A93FD84FEBB778FA3068B0FC42DC2 (groups.google.com)

Fastly also notes Certainly’s intermediate CA certificates have been cross-signed by GoDaddy to improve client compatibility. (fastly.com)

Citations:

• 1: https://www.fastly.com/blog/announcing-certainly-fastlys-own-tls-certification-authority?utm_source=openai
• 2: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/EhXhiHfWGC8/m/3PcJHizqAAAJ?utm_source=openai
• 3: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/EhXhiHfWGC8/m/3PcJHizqAAAJ?utm_source=openai
• 4: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/EhXhiHfWGC8/m/3PcJHizqAAAJ?utm_source=openai
• 5: https://www.fastly.com/blog/announcing-certainly-fastlys-own-tls-certification-authority?utm_source=openai

---

Update the CAA record value from certainly.com to letsencrypt.org.

Appwrite uses Let's Encrypt (ISRG) to issue TLS certificates for custom domains, not Certainly. The CAA record should reference Let's Encrypt as the authorized CA. The correct CAA record should be 0 issue "letsencrypt.org".

🤖 Prompt for AI Agents

In `@src/routes/docs/products/sites/domains/`+page.markdoc at line 96, The CAA
record example currently shows the wrong CA; locate the line containing the CAA
example string '0 issue "certainly.com"' (the list item that starts "Copy the
**CAA** record") and change its value to Let's Encrypt by replacing '0 issue
"certainly.com"' with '0 issue "letsencrypt.org"'; ensure the surrounding markup
and emphasis (the "**CAA** record" list item) remain unchanged.

[Meldiron]

Certainly here is correct.
But worth checking rest of docs (for cloud), to make sure we dont have mistake elsewhere.

[coderabbitai]

🧩 Analysis chain

@Meldiron, acknowledged! I'll verify the consistency of certificate authority references across the cloud documentation.

---

🏁 Script executed:

#!/bin/bash
# Search for CAA record references in docs
echo "=== Searching for CAA records ==="
rg -i "CAA" --type=md src/routes/docs/ -C 2

echo -e "\n=== Searching for letsencrypt references ==="
rg -i "letsencrypt" --type=md src/routes/docs/ -C 2

echo -e "\n=== Searching for certainly.com references ==="
rg -i "certainly\.com" --type=md src/routes/docs/ -C 2

echo -e "\n=== Searching for certificate authority mentions ==="
rg -i "certificate authority|CA.*certificate|TLS certificate" --type=md src/routes/docs/products/sites/ -C 2

Length of output: 181

---

🏁 Script executed:

#!/bin/bash
# Search without type restriction to include .markdoc files
echo "=== Searching for CAA records in all docs files ==="
rg -i "CAA" src/routes/docs/ -C 2

echo -e "\n=== Searching for letsencrypt references ==="
rg -i "letsencrypt" src/routes/docs/ -C 2

echo -e "\n=== Searching for certainly.com references ==="
rg -i "certainly" src/routes/docs/ -C 2

echo -e "\n=== Searching for certificate/TLS related content in sites docs ==="
rg -i "certificate|TLS" src/routes/docs/products/sites/ -C 1

Length of output: 7177

---

🏁 Script executed:

#!/bin/bash
# Read the full TLS documentation to understand the context
echo "=== TLS documentation content ==="
cat src/routes/docs/advanced/security/tls/+page.markdoc

Length of output: 1138

---

@Meldiron, I found an inconsistency that needs clarification:

Current documentation states:

• TLS docs (src/routes/docs/advanced/security/tls/+page.markdoc): "Appwrite uses Let's Encrypt to auto-generate TLS certificates" - applies to "all" Appwrite products, custom domains, and Function domains
• Sites CNAME flattening (this PR): Requires CAA record for certainly.com

Recommendation:
The general TLS documentation page should be updated to clarify which services use which certificate authority. It currently states Let's Encrypt is used for "all" domains, but Sites (particularly with CNAME flattening via Fastly infrastructure) uses Certainly.

Suggested clarification for src/routes/docs/advanced/security/tls/+page.markdoc:

• Mention that Sites uses Certainly (Fastly's CA) for TLS certificates
• Or clarify that Let's Encrypt applies to API endpoints and self-hosted deployments, while Sites may use different CAs

Would you like me to help draft an update for the TLS documentation page to address this?

---

✏️ Learnings added

Learnt from: Meldiron
Repo: appwrite/website PR: 2745
File: src/routes/docs/products/sites/domains/+page.markdoc:96-96
Timestamp: 2026-02-12T11:07:46.170Z
Learning: Appwrite Cloud Sites uses Certainly (Fastly's CA) for TLS certificates, not Let's Encrypt. The CAA record value `0 issue "certainly.com"` is correct for Sites with CNAME flattening.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[adityaoberai]

Let's Encrypt applies to self-hosted deployments and Certainly applies to Appwrite Cloud

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[adityaoberai]

Let's Encrypt applies to self-hosted deployments and Certainly applies to Appwrite Cloud

@coderabbitai prompt for this?

[coderabbitai]

@adityaoberai, here's the prompt for updating the TLS documentation:

---

Prompt for AI Agents / Manual Update:

In `src/routes/docs/advanced/security/tls/+page.markdoc`, locate the sentence 
"Appwrite uses Let's Encrypt to auto-generate TLS certificates for all Appwrite 
products, custom domains, and Function domains." and update it to clarify the 
distinction between self-hosted and Cloud deployments.

Replace it with:
"Appwrite automatically generates TLS certificates for all Appwrite products, 
custom domains, and Function domains. Self-hosted deployments use Let's Encrypt, 
while Appwrite Cloud uses Certainly (Fastly's Certificate Authority)."

Ensure the surrounding markdown structure and any links remain unchanged.

---

This clarification will help users understand which CA to authorize in their CAA records depending on their deployment type.

---

✏️ Learnings added

Learnt from: adityaoberai
Repo: appwrite/website PR: 2745
File: src/routes/docs/products/sites/domains/+page.markdoc:96-96
Timestamp: 2026-02-13T20:29:03.828Z
Learning: For Appwrite TLS certificates: self-hosted deployments use Let's Encrypt as the certificate authority, while Appwrite Cloud uses Certainly (Fastly's CA).

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: Meldiron
Repo: appwrite/website PR: 2745
File: src/routes/docs/products/sites/domains/+page.markdoc:96-96
Timestamp: 2026-02-12T11:07:53.907Z
Learning: Appwrite Cloud Sites uses Certainly (Fastly's CA) for TLS certificates, not Let's Encrypt. The CAA record value `0 issue "certainly.com"` is correct for Sites with CNAME flattening.

---

Learnt from: amustaque97
Repo: appwrite/website PR: 2444
File: .github/workflows/production.yml:107-114
Timestamp: 2025-09-25T12:18:00.841Z
Learning: In the Appwrite website Kubernetes deployment, the team intentionally uses short-lived GITHUB_TOKEN for Docker pull secrets rather than long-lived registry credentials, as per amustaque97's explicit preference.

[atharvadeosthale]

@adityaoberai worth mentioning that it's certainly for Appwrite Cloud and could be letsencrypt for self-hosted? Worth consulting Matej for more info on this.

[adityaoberai]

We also need to do this in the TLS Certificates section of the docs

I'll do that today