Use this skill when the user says 'setup domain', 'configure DNS', 'SSL certificate', 'domain-ssl', 'custom domain', 'HTTPS setup', or needs to configure DNS records, SSL certificates, and custom domains for any hosting provider. Do NOT use for full deployment workflows.
Validates DNS records, SSL certificates, redirects, HSTS, and domain health across all managed properties.
When this skill activates, output:
🔒 Domain & SSL — Running domain health checks...
Then execute the protocol below.
| Context | Status |
|---|---|
| User says "check domain" or "setup domain" | ACTIVE |
| User says "SSL certificate" or "fix SSL" or "check DNS" | ACTIVE |
| Setting up a new domain for a deployed project | ACTIVE |
| Checking domain expiration or renewal status | ACTIVE |
| User is writing code, not managing infrastructure | DORMANT |
| Discussing domain names abstractly (brainstorming names) | DORMANT |
| Trap | Reality Check |
|---|---|
| "SSL auto-renews, I don't need to check it" | Auto-renewal fails silently when DNS changes. Verify quarterly. |
| "DNS propagation takes 48 hours" | Most propagation happens in minutes. If it's been 2+ hours, something is misconfigured. |
| "www and non-www both work, that's fine" | Pick one canonical URL and redirect the other. Duplicate content hurts SEO and splits analytics. |
| "HTTPS is enough for security" | Without HSTS, the first request can still be intercepted. HSTS tells browsers to never try HTTP. |
| "I'll check the domain when it stops working" | By then, your site is down. Monitor expiration, SSL, and DNS proactively. |
Check that DNS records are correctly configured for the target domain:
# A records (points domain to IP)
dig +short A example.com
# CNAME records (points subdomain to another domain)
dig +short CNAME www.example.com
# TXT records (verification, SPF, DKIM)
dig +short TXT example.com
# MX records (email routing — check for conflicts)
dig +short MX example.com
# NS records (authoritative nameservers)
dig +short NS example.com
Expected patterns by hosting provider:
| Provider | Record Type | Value |
|---|---|---|
| Railway | CNAME | *.up.railway.app |
| Netlify | CNAME | *.netlify.app or A record to 75.2.60.5 |
| Vercel | CNAME | cname.vercel-dns.com or A record to 76.76.21.21 |
| Cloudflare (proxied) | A | Cloudflare IPs (check dashboard) |
Check for conflicts:
Flag if: DNS records don't match the expected hosting provider configuration.
# Check SSL certificate details
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer
# Check certificate chain
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text | grep -E "Issuer:|Not Before:|Not After:|Subject:"
# Quick expiration check
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate
Verify:
Renewal timeline:
| Days Until Expiry | Status | Action |
|---|---|---|
| > 30 days | ✅ Healthy | No action |
| 15–30 days | ⚠️ Warning | Verify auto-renewal is working |
| < 15 days | ❌ Critical | Manually trigger renewal immediately |
| Expired | 🚨 Down | Site showing security warnings to visitors |
Pick one canonical form and redirect the other:
# Test non-www → www (or vice versa)
curl -sI http://example.com | grep -i "location"
curl -sI http://www.example.com | grep -i "location"
curl -sI https://example.com | grep -i "location"
curl -sI https://www.example.com | grep -i "location"
Expected redirect chain (non-www canonical):