I want to be able to allow customers who use my web application to use their custom domains.
internet -> custom domain -> load balancer -> web application
In this typical design, the SSL will be terminated at the load balancer level. Let’s say I am using nginx to proxy requests to my web application.
How can I automatically create/update my certs at this layer, and being able to scale to potentially thousands of domains that are managed in a pain free way.
The language of choice for me is Go, but my web applications are not necessarily written in Go so I can’t use autocert at the web application level.
if every customers has his own domain, there is no limit. Limits are domain based, but 5 or 10 certificates with one domain isn't a problem. Perhaps one certificate per customer with www.example.com, yourapp.example.com and example.com may be enough.
Then your app should have an own client.
Account creating - order creating - challenge file - confirm challenge - create certificate request and get certificate.
Creating an own client isn't too complicated. That works direct. Additional, there are a lot of libraries.
But checking the different libraries and their limitations -> then the own client may be the simpler solution.