Hi! I would like to ask if what I’m doing is the correct approach. I have a Rails web app that lets users add custom domains, so for these domains I need to issue certificates. The app is hosted on Kubernetes, so I am using cert-manager to manage the LetsEncrypt certificates. The way it works is as follows:
- User adds a custom domain
- The app creates an ingress (http only) in Kubernetes for that domain
- The app fetches a page with a verification code from that domain, to ensure that the domain is pointing to The app; this is repeated every 20 seconds until the domain is verified by the app itself
- When the domain is verified by the app, the ingress is “upgraded” to https using cert-manager annotations
- cert-manages notices that there is an ingress with pending certificate, and requests the certificate from LetsEncrypt
- The app periodically does the same verification as before but this time with https instead of http, and when the verification code can be read successfully without ssl errors it means that the domain is verified and has a valid certificate, so it’s ready for use.
This process works very well, and if the DNS for a custom domain is already updated to point to the app (with a CNAME record), within 30 seconds/1 minute the domain is ready for use. The reason I have the app do a verification by itself first, is to ensure that the domain is already pointing to the app when LetsEncrypt does its own verification.
I am wondering however if I can have problems with rate limits or something if the app becomes successful when it is in production. Is this approach correct or should I be doing it differently? How do big companies with lots of custom domains and certificates handle this?
Many thanks in advance to whomever can clarify this for me.