Exploring the idea of a “site id inventory” for pre-generated LE certs mentioned by both @pfg and @jmorahan…
It’s easy enough to pre-generate the 100 site id and include them in an LE certificate request, but the optimal method of authenticating all of these URLs during the certificate request seems to get a little messy.
I’m using http-01, so in this scenario, instead of provisioning the cert as-needed, I would need these 100 “inventory” site id to respond to a web request to each of the corresponding URLs. It seems they each would need their own webroot (a certbot -w with each -d) so that when they’re assigned to a customer, this webroot (which would likely be a symlink), would still work for this domain during renewal even though it will now be pointed to a customers directory (ie webroot_map in the renewal conf). This would end up touching provisioning, reporting, and billing in one way or anything to make work.
Maybe dns-01 is a better route for the “inventory” since this is an internally controlled domain? That would mean a whole new integration with the DNS provider, but possibly easier than these “fake” sites.
Opposed to the “as-needed” LE integration that took me an hour and works great until I start hitting the rate limits, I’m deep down the rabbit hole of significant modifications. This would be the complexity I had hoped to avoid.