There are a variety of approaches that I know of, but none of them are really completely straightforward.
The least work is going to an ACME-aware proxy, such as Traefik or Caddy. A simplified explanation:
Your web application configures the proxy (by generating a configuration file, for example) with what certificates should exist for customer domains.
The proxy automatically issues, uses and manages the certificates for the customer domains, and routes the requests to your web application backend. As long as your customers have setup the CNAME, this will all happen automatically.
I do not recommend trying to implement this by hand (for example, programmatically invoking Certbot and then programatically regenerating your nginx/Apache virtual hosts). There are simply too many ways for it to go wrong. Outsource as much of that pain as possible. Yes, it means you have to introduce a new webserver to your infrastructure, but it's a small price to pay.
It's not necessarily the case that Traefik/Caddy are the only solutions, but they're perhaps some of the friendliest ones. If you use Apache, you could consider using mod_md and dynamically generating the Apache configuration. It gives you the automated certificate management, without needing an additional webserver. I'm not sure that an analogue exists for nginx, but OpenResty + lua-resty-acme may come close.
Yes. If your web application is behind the Cloudflare CDN, then this becomes more complicated.
Cloudflare is the one who will need to issue certificates for all of your customers domains. I'm not sure whether that's possible - probably one of the higher-end paid plans.
Because the customers have pointed their hostname to your server (due to the CNAME), you can actually get a certificate without any problem. This is because requests for http://app.customer1domain.com/.well-known/acme-challenge/ will land on your servers.
If "on the fly" certificate generation isn't welcome, the only thing you need to know from your customers is the actual hostname used by your customer. Then, you can generate a certificate for the customer hostname any way you want.
Short summary: because of the CNAME, technically, there's nothing holding you back from generating certificates for your customers hostnames.
You mean if the cname is pointed BEFORE deploying the application and generating the lets'encrypt, we can request lets'encrypt for both app.customer1domain.com AND customer1.myappdomain.com . This seems to make sense. I will try that.
BUT what if the cname is pointed AFTER deploying the application, or the customer wants to change the cname? I assume, will need to add the customer domain to the already generated lets'encryot ssl. Is that correct?
Not any that I'm aware of. There was ngx_http_acme_module back in the day, but it's been abandoned for some time. OpenResty (which is just nginx + the lua module on top of it) is what's available.
It might feel painful to use a separate proxy for your HTTPS port but it's probably preferable to dozens (or more) of development hours trying to wrangle it by hand and figuring all the weird and wonderful ways you got burned afterwards.
The first package is a lua OpenResty(Nginx) plugin to enable dynamic ssl loading
The second package is a Pyramid application that bundles a Certificate Manager with an ACME v2 client. The Pyramid application can be driven by a Web Interface or programmatic API.
They work together like this: The OpenResty plugin will try to load a certificate from nginx worker cache, nginx shared cache, redis and then Pyramid. The Pyramid app can attempt an "autocert" fallback as well.
When we add a customer's domain into our stack, we enroll the domain into the certificate manager then periodically check for the DNS to be ready. when it points to our systems, we attempt to provision a certificate. all of this happens via apis.
Thanks [jvanasco] for sharing.
From an initial reading, this seems a little be complicated. or may be not (I am sure not for you as the creator/developer)!?
Is this recommended for deployments where you will have a dozen of application deployments using Let’sencrypt SSl certifications? Or it’s more recommended for large infrastructure deployments?