Any text templating (e.g. erb) will allow you to generate an nginx configuration file from a template and write it to the filesystem.
For example,
# nginx.erb
server {
listen 443 ssl http2;
server_name <%= @client_domain %>;
ssl_certificate /var/lib/myapp/ssl_storage/<%= @client_domain %>/certificate.pem;
ssl_certificate_key /var/lib/myapp/ssl_storage/<%= @client_domain %>/private_key.pem;
location / {
proxy_pass http://localhost:8080;
}
}
require 'erb'
# 1. Save cert + private key /var/lib/myapp/ssl_storage/<client_domain>/ or wherever
# 2. Generate an nginx configuration file for this server
@client_domain = 'example.org' # or whatever
tpl_text = File.read('nginx.erb')
nginx_config_to_save = ERB.new(tpl_text).result(binding)
# 3. Write the contents of nginx_config_to_save to /etc/nginx/sites-enabled/<client_domain>-ssl.conf
# 4. Invoke `sudo service nginx reload` or whatever
I don't know any Ruby so ymmv.
If this seems like too much, well, I don't see any way around it really apart from trying one of the other SSL terminating webservers, or maybe OpenResty as suggested (which is based on nginx).
I don't envision Certbot as being very beneficial in your case. Even if it issues the certificate for you, it has no way of understanding your requirement about your customer domains and SaaS in an automatic way. You have to do this server templating bit no matter what, if you're using nginx.