SSL integration in our platform

Dear Let's Encrypt Team,

We are a non-profit organization developing a school management system to support schools and universities in Africa. Many of these institutions have custom domains and wish to use them on our platform. To facilitate this, we require them to update their DNS records to point to our server, necessitating SSL integration to ensure secure and encrypted connections.

Integrating Let's Encrypt SSL services into our system will enable us to offer these secure connections, thereby enhancing the online presence and security of our partnered universities. Your support in setting up and automating SSL certificate issuance and renewal for our platform would be invaluable.

How can we begin this process?

Hi @vululleh1,

Please start here Getting Started - Let's Encrypt

And possibly this as well Integration Guide - Let's Encrypt

3 Likes

Some design aspects will depend on whether you will be running multiple servers and which server operating system you will use.

For instance if you use Caddy as your webserver then it can automatically configure https using http domain validation.

Sometimes it's necessary to use DNS validation instead of HTTP validation (depending on server configuration etc), in which case the custom domains would need to point an _acme-challenge CNAME record at corresponding record in a DNS zone you control.

There are hundreds of ways to configure hosted websites for custom domains so it's really driven by your own architecture. I would advise learning how to use ACME certificate management in general before designing a large scale system that uses it.

8 Likes

As a preface to the information above:

As long as the DNS records point to your services - either as A records or CNAMES - you will be able to use the HTTP Validation method for those specific fully qualified domain names.

If you need to support wildcard certificates, you will need to have them CNAME two additional records onto your system - one for the registered domain and another for the wildcard. The best way to accomplish this is to run an instance of acme-dns on your network and have your clients' records point there.

Lastly, please be aware of the rate limits and how they work. You may eventually need to apply for a rate limit increase on your domain. For those clients that use their own domains, you will need to work with them on how to schedule onboarding around their own ratelimits - as their custom domain on your system would be competing with ratelimits against their registered domains, not yours.

3 Likes