I have a SaaS site. I have "tenants" that set up a CNAME pointing to a subdomain I host.
I have a few questions based on this scenario.
Is it possible to create a certificate for each "tenant" subdomain? Ex. every "tenant" points to custom.mysite.com with whatever subdomain they want from their site; let's say checkout.theirsite.com. When they signup for an account on mysite.com and enter their domain they'll be using I'd like to automate adding a certificate. I see I can extend my certificate (and I was able to manually do this) but I'd like them to have their own.
I know a site called booqable does this and their tenants have the certificate name in their subdomain and the SAN (see screenshot below). When I added their subdomain to my cert it lists all the subdomain names in the SAN and I don't want that.
This site in the screenshot booqable is hosting and the rental company has a CNAME set up pointing to a subdomain they have set up.
I am assuming this is possible so when a user adds what subdomain they're using in a form on their admin panel is there a way to create them their own certificate with the domain they input?
I do have root access. So, I'd be able to create one certificate on my server for each tenant? your (1) and (2) are the two bullets? one or the other? Also, if I do (2) I create only one certificate per tenant with two domains (custom and checkout)?
My own service - I don't create customercompany.server-daten.de, instead, I use a wildcard *.server-daten.de, so some customercompany subdomain names are hidden.
And there are some additional certificates:
specialname.customercompany.com CNAME -> server-daten.de customercompany.com + www.customercompany.com -> same A record as server-daten.de
The issue is not in obtaining a certificate - your clients can either CNAME their domain onto your domain, or (less advised, point an IP address), and then you can successfully validate the HTTP-01 challenges.
The big issue is integrating their Certificates into your webserver. Small deployments can often do something with a filesystem. We had a very large scalable need in terms of domains and servers, so I ended up writing a custom ACME client and a plugin for OpenResty (nginx fork) to dynamically load the right certificate.
There are some webservers, like caddy, which offer an "autocert" functionality. If there is no SSL cert available for the domain, they will do the whole ACME process as-needed. I don't have any experience with caddy so can't advise on how to share/persist certs across servers, but the maintainer is active on this forum and may pop up.
Just to be clear... customer.paas.com is not a concern, as a wildcard for *.pass.com handles that. The problem is coordinating the rollout of paas.customer.com certificates onto your webserver.
For those that don't know, paas = "platform as a service".
Are you able to point me in the direction of creating and using additional certificates? I was only able to find re-creating certs. As you know, I want to create additional certs. Also, Booqable doesn't seem to require the tenant to verify anything (add a DNS record to verify their domain). How are they doing that part do you think? Thank you for all the time so far!
Yea... I have a wildcard for tenants using my domain (instead of CNAME). I just need their domain to have a cert without using my main cert for my paas.
It only uses that certificate so when I visit another tenant that I ran the same command but with their subdomain, it no longer works on the first tenant. I hope that made since.
Certbot - and pretty much every system that installs LetsEncrypt certificates into servers - won't be able to help you here. This is a very advanced topic.
Certbot, and similar installation utilities, are looking for a (virtual) host that matches the domains in the certificate. This means you'd need to have a dedicated apache host for every client domain.
You could POSSIBLY pull this off by having apache read a directory of vhosts, like...
Include /usr/local/apache2/conf/vhosts/*.conf
and then creating a new vhost file in there for each client as needed. this is not fun to automate, not very scalable, and quite fragile.
Also, you don't need or want to include mysite.io in these certs. You just want the certs to contain checkout.theirsite.com
You could very-likely just run https://caddyserver.com in front of Apache. I have heard there are ways to coordinate sharing certs across different servers, but I don't know much about that.
You just sit it in front of apache, and it generates the certificates for you as needed. You won't have to enroll the customer's domain into it or anything.