Which service can help to implement a "custom domain" feature?

If anybody from the future ends up here looking for an easy way to implement custom domains, check out https://approximated.app (I'm the founder). It reliably serves hundreds of thousands of custom domains as of today, it's super easy to get up and running with your app the same day, and it starts at $20/month with a 7 day free trial.

Taking a look at some of these other responses, here's how it handles the concerns mentioned about other options:

• They don't handle A records (can't point a root/apex/naked domain without a subdomain at it). Approximated gives you a dedicated IPv4 (IPv6 too) just for you so that you and your users can point whatever you need.
• They don't provide, renew, monitor SSL. Approximated does all of that out of the box, it's included in the price for unlimited domains.
• They require an external service. Approximated actually has a Self hosted enterprise option now where you can run it dedicated on your own server.
• Running into rate limits with lets encrypt. Approximated has much, much higher rate limits than default let's encrypt (we don't rate limit SSL certs at all), and automatically uses many certificate authorities, so that you can scale up to tens of thousands of domains quickly if needed.

I run my app (DynaBlogger in Kubernetes so I use cert-manager to issue certificates using Let's Encrypt.

The way it works is this: when a user adds a custom domain, the app tells the Kubernetes API to create an ingress resource (virtual host in Nginx basically) for the domain; then the app pings the domain until a request to a specific path returns an expected token. This means that the domain is actually pointing to the app / is owned by the user. At that stage, the app tells the Kubernetes API to "upgrade" the ingress resource with some annotations that trigger the issuance of the certificate with cert-manager. If DNS has already been configured for the domain, the process takes under a minute usually.

This setup in Kubernetes is the best I have used so far for this feature.

In the past, before Kubernetes, I was using OpenResty as web server, which is a particular version of Nginx with lua scripting built in. Then I would use the lua-autossl extension to issue certificates.

The way that works is this: the app exposes an API endpoint which accepts a domain as a parameter and returns a 200 status code if the domain is recognized (= added by some user to the system) or 404 status code if not. At the first request with the custom domain, some lua code queries that API endpoint to check if the domain is allowed and if yes, it issues the certificate with Let's Encrypt, otherwise it will ignore it and not issue the certificate, for security reasons. What I don't like of this setup is that the first request that triggers the issuance of the certificate can be very slow depending on whether DNS is fully propagated etc. There are also some limits to the number of certificates that can be managed this way by a single web server. With Kubernetes instead the thing scales together with the cluster, so it's a lot better.

I have never considered using a third party service for things like certificates because they require a lot of trust and it's one more external dependency.

You could set up fly.io as a proxy in front of your application. They have the ability to add domains to an application through the API and they handle acquiring a Let's Encrypt certificate for them automatically.

None of these seem to work with A Records as well.