7

We have given customers the option to allow custom domains which ultimately point to our server by changing the CNAME.

Some of our customers would like to have SSL enabled to their domain but I am wondering how to manage certificates for them. I am aware about SNI which helps to have multiple certificates for the same IP-address but I still need to buy a certificate for every custom domain and upload it manually.

Is there a way we can automate the process/manage the certificates in better way?

guntbert
  • 1,825
  • 2
  • 18
  • 21
Chandra Paudel
  • 71
  • 3
  • Have a look at [Let's Encrypt](https://letsencrypt.org/): free certificates (free as in "no money involved") plus automatization for major web servers. – Steffen Ullrich Nov 16 '17 at 06:15

2 Answers2

2

You have the options of using let’s encrypt and certbot which automates this process somewhat, as Steffen pointed out in the comments.

Keep in mind that both let’s encrypt and SNI may result in problems with older browsers and operating systems, because some do not support SNI and some do not trust let’s encrypt.

Another (for this Szenario not appropriate) way is to get one certificate for all subdomains, but that’s not meant for this case and will lead to many more problems.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • At this point in time I'm comfortable saying that anyone whose browser has trouble with SNI websites needs to update their goddamn browser already. – Shadur Jun 13 '18 at 07:03
  • If not even server administrators apply patches regularly and timely (check for heart bleed, for example), you shouldn’t assume the users do. – Tobi Nary Jun 13 '18 at 07:49
2

We ran into the same problem with a SAAS we were building for a client. We ended up using a reverse proxy over Nginx to handle this along with Let’s Encrypt. We ran a script that basically added the domains. A bit tedious but gets the job done.

Addendum: Here’s a service that actually does this for you: https://tenantssl.com

geetfun
  • 121
  • 1
  • 1
    There is a lot of software doing this, e.g. [lua-resty-auto-ssl](https://github.com/GUI/lua-resty-auto-ssl) will generate a certificate for all domains you point to the server automatically. – Josef Jun 11 '18 at 07:20
  • @geetfun i think you implemented nginx for storing domain names in a file (by taking from this api) dynamically and giving them to nginx config. And by restarting the nginx. Did you get this job by the way? And by this way did you used SAN UCC certificate? – Hamit YILDIRIM Mar 23 '20 at 15:47