Custom Domains & SSL

Connect your own domain to an n8n instance, let Caddy handle TLS, and understand how browsers treat new domains.

DNS setup

Point your subdomain at the server that hosts the instance using an A record:

Type: A
Name: n8n (or whatever subdomain you chose)
Value: your server's public IPv4 address
TTL: 300 (or your provider's default)

DNS usually propagates within a few minutes, but can take up to an hour depending on your provider.

Automatic SSL

Every instance is fronted by Caddy, which handles TLS termination and automatically requests a Let's Encrypt certificate the first time your domain resolves to the server. Certificates renew automatically 30 days before expiry — you'll never need to touch them.

You can verify the certificate status on the instance details page under SSL Status.

“Dangerous site” warnings

If you see a red Dangerous site warning in Chrome or Edge on a brand-new instance, this is not a certificate problem — your SSL is fine. The warning comes from Google Safe Browsing, which flags newly-registered domains with password input fields because they look statistically similar to phishing sites.

Why it happens

The subdomain has no prior reputation with Google.
n8n's login screen is a generic password form with no brand context.
Safe Browsing's classifier errs on the side of caution for unfamiliar login pages.

The quick workaround

Because the n8n subdomain is frequently used by new instances, Google's automated filters can sometimes be overly aggressive against it. Often, the fastest way to resolve this issue is simply to change your subdomain.

For example, change n8n.yourdomain.com to automate.yourdomain.com, workflows.yourdomain.com, or something similar. This avoids the flagged subdomain entirely and usually bypasses the warning immediately.

The official resolution

If you want to keep your current subdomain, you can request a review from Google:

Verify the domain in Google Search Console. Go to search.google.com/search-console, add your domain, and verify ownership via DNS TXT record.
Open Security & Manual Actions → Security Issues. Google will show the specific reason it was flagged.
Click Request Review and explain that the instance is a private workflow-automation tool for your team, not a public login page. Reviews typically take 1–3 days.

In the meantime, keep the instance off public traffic. Restrict access via an IP allowlist or a reverse-proxy auth layer (Cloudflare Access, oauth2-proxy) — the fewer unauthenticated crawlers that see the login form, the faster the warning disappears.

Prevention for future instances

Prefer a subdomain under a domain you already use (e.g. n8n.yourcompany.com) rather than a freshly-registered one.
Put instances behind an auth proxy so the login form isn't publicly reachable.
Add your domain to Search Console as soon as it's provisioned.

PreviousGetting Started

NextAdding a Domain Later