Summary

Add a "Check DNS propagation" button to the SSL certificate page that verifies DNS has fully resolved to the server before triggering a Let's Encrypt certificate request.

Problem

After changing a domain's DNS records, it's unclear when propagation is complete. The only feedback mechanism right now is to click "Add certificate" and see if it fails — but each failed attempt counts against Let's Encrypt's rate limits and triggers failure emails. Public DNS checkers (e.g. whatsmydns.net) are unreliable for domains proxied through Cloudflare, since they see the Cloudflare edge IP rather than the origin.

Proposed solution

Add a "Check DNS propagation" button that runs a DNS resolution check directly on the server — resolving each listed domain and comparing the result to the server's own IP. This approach works correctly behind Cloudflare and any other proxy. Key behaviors:

• The check runs server-side (not via a third-party public resolver)
• Each domain in the certificate field is checked individually with a clear per-domain status
• The button can be clicked as many times as needed — no Let's Encrypt calls are made, so there is no rate limiting risk
• The "Add certificate" button is only enabled (or at minimum, clearly signaled as ready) once all domains pass the check
• Results clearly distinguish between "resolves correctly," "not propagated yet," and "check not run"

Why this matters

This removes the guesswork and protects users from burning Let's Encrypt rate limit attempts during routine DNS migrations or server moves. It's especially valuable in agency and managed hosting contexts where multiple domains are being moved simultaneously.