Sign in Subscribe
2 min read

Free & Automatic SSL for Tenant Domains for a SaaS Service !!

Free & Automatic SSL for Tenant Domains for a SaaS Service !!
Provisioning SSL for your clients, automatically.

As a developer, one of the challenges we often face is provisioning and renewing SSL certificates for domains. For some of our SaaS project we need to provision SSL for our clients domains.

Recently, after lots of trial and error, I found a brilliant approach to automatically provide SSL certificates to tenant domains for our SaaS service without any hassle.

I used the Caddy web server and its on-demand TLS feature, which allows us to obtain SSL certificates for tenant domains on-the-fly.

Caddy is an open-source web server that simplifies HTTPS configuration and certificate management. It automates the process of obtaining and renewing SSL certificates, making it an ideal choice for our SaaS platform.

On-Demand TLS for Tenant Domains

To enable on-demand TLS for tenant domains, we'll use Caddy's Caddyfile, which is a configuration file written in JSON or the simplified Caddyfile format. Let's dive into the code:

# for checking if it belongs to our domain list
{
    email myemail@example.test
    on_demand_tls {
        ask     https://api.example.test/check-domain
        interval 2m
        burst    5
    }
}

# for specific domains
app.example.test {
    reverse_proxy xxx.xxx.xxx.xxx:4000
}

# for any domains
https:// {
    tls {
        on_demand
    }

    handle {
        reverse_proxy xxx.xxx.xxx.xxx:5000
    }
}
Caddy Server Configuration for Automatic SSL provisioning for any domain

Breaking Down the Code

  1. The first section is responsible for checking if a domain belongs to our domain list. We provide an email address (myemail@example.test) to receive important notifications related to certificate issuance or renewal.
  2. The on_demand_tls directive is where the magic happens. We specify an endpoint (https://api.example.test/check-domain) responsible for validating the tenant domains. Caddy will reach out to this endpoint to verify if the domain is valid before issuing an SSL certificate. The code for end point is below.
  3. The interval, set to 2m, determines how often Caddy should check for updates regarding the domain's status. It ensures that certificates are renewed promptly and stay up-to-date.
  4. The burst parameter, set to 5, indicates the maximum number of certificates Caddy can request at once in case many tenants require certificates simultaneously.
  5. The next section handles specific domains (app.example.test in this case) and proxies traffic to the backend server (xxx.xxx.xxx.xxx:4000) securely over HTTPS.
  6. The final section handles any other domains (https://), and the tls block with on_demand enables on-demand TLS for these domains. The handle block ensures that all incoming traffic is proxied securely to the backend server (xxx.xxx.xxx.xxx:5000).

Domain Validation Script

// Example code in laravel (PHP)
public function checkDomain(Request $request)
{   
  try{
       $domain = 'https://'.$request->domain;
       //TODO: Checkdomain, if exist return 200 response
       return response('domain is found', 200);
     }catch(\Exception $e){
       //Domain not exist or allowed, return 400
       return response('domain is not found', 400);
     }
}
Example Domain Checking code in laravel (PHP)

In conclusion, the combination of Caddy web server and on-demand TLS is a game-changer for SaaS developers, as it ensures seamless and automatic SSL certificate provisioning for tenant domains. Embrace this solution to stay ahead in the competitive SaaS landscape while prioritizing security and user trust.
Feel free to explore Caddy's documentation and experiment with different configurations to suit your specific use case. Happy coding and stay secure!

Member discussion