Manage ssl for SaaS application

Hi,

I have a PHP based SaaS applcaition and giving custom domain feature.I mean anybody can use their own domain by CNAME insted of the url we provided.we are facing an issue on SSL when configure CNAME.How can i automate SSL installation when customer choose custom domain feature?We are using Haproxy as a loadbalancer. Not using AWS.Please help me.

What kind of issue? You’re providing us with almost NO information at all. It’s hard to help you when we need to guess.

1 Like

I need to implement automate SSL installation for custom domains?any idea how can i implemt it with Letsencrypt?

That’s not an “issue” or a “problem”. That’s an “I want to…”.

Yes, for example, by using one of the available client options. There are PHP libraries.

But again, you’re giving us NO information AT ALL. What SaaS application are we talking about? You mentioned you “[Were] facing an issue”, but you haven’t explained what the issue was. What did you do? With what software? What was the command? What was the full output?

1 Like

Sorry @Osiris for mentioning like issue. :slight_smile:
Its a e-learning platform,customers can sell their videos by using this platform.when a customer signup our application(example.com),they can access their site by https://customer.example.com like that.and then they can upload their videos by admin control panel.

the customer can use custom domain like https://customersite.com instead of https://cutomer.example.com url by using CNAME.

when the customer point it by CNAME,on browser get https in redmark.
To solve this issue i can manually buy a ssl from customer and upload it to my loadbalncer (haproxy).But i need to automate it with letsencrypt.

Hi @sruthin

then do it.

Start with some basics:

Then select a client. @Osiris has already shared the link.

Certbot has a haproxy support.

1 Like

What you’re suggesting is perfectly possible. The CNAME in question isn’t really that relevant. Let’s Encrypt follows the CNAME like any other DNS resolver, so the hostname of the customer is resolved to the IP address of your server.

So I’m assuming the PHP software you’re talking about is custom build? You or your developers can implement a PHP client (as I’ve listed above) in your software. The customer should be given some kind of buttom I guess to tell the software: “I have implemented my own hostname and have pointed a CNAME to customer.example.com! Please give me a TLS certificate.” at which point your software will get the certificate.

It does? :thinking:

1 Like

@Osiris @JuergenAuer I have tried ssl creation with Bash client acme.sh.ssl are created.That time i face another issue.every time i need to update the customer’s custom domain on haproxy config file and need to reload the haproxy services.After that i can generate the ssl with this command
"acme.sh --issue --standalone -d example.com "
Is there any way to generate ssl without updating custom domain on ha-proxy config file in each ssl creating time

Sometime one customer domain is customer1.com and another customer domain is customer2.com.In each time updating the custom domain on haproxy config and reload it,that will affect on production.
Is ther any good method to implement it

1 Like

Well, HAProxy obviously needs to know about the certificate somehow. But isn’t a HAProxy configuration change necessary anyway? Because you’ll need your software to respond to the new customer hostname, right? Or is that handled by the webservers downstream of HAProxy? Is TLS passthrough an option?

Also, I’m not familiar with HAProxy, but does it have some sort of “include” directive for its configuration? It would still need a reload of some kind (but that is also true for e.g. Apache or nginx), but perhaps it would make the configuration less “cluttered” if the separate TLS statements are separated in a configuration file per customer/custom hostname and perhaps grouped in a distinct directory.

Using the --standalone option, it’s required no webserver is listening at that moment. You probably don’t want that. Isn’t it better to use the webroot challenge?

2 Likes

@Osiris

Let me check on this way.Thank you

1 Like

@JuergenAuer @Osiris

Everything working fine.Thanks all

2 Likes