If you are building a SaaS product where you accepts custom domains, you need to handle SSL
Cloudflare will do it for $2 which is criminally expensive!
In reality you could just have them CNAME to you, then you forward to the Vercel/Firebase IPs and that should work because they do HTTP challenges too, but how do they do that where the customer does not need to set any cert specific DNS records?
With the DNS challenge, you can use acme delegation by setting a
_acme-challenge CNAME record pointing to you domain, which allows you to do the DNS challenge for them. While asking them to make an additional record is not demanding, we can even reduce it further by using HTTP challenges.HTTP challenge has been traditionally harder to pull off because existing solutions have been stateful - a single LB node, certbot instance, etc. kept track of everything. Not only was this not highly available, but also tedious to use and could easily overwhelm a single server at scale.
How do we make the HTTP challenge stateless?
Bonus: Here is code that uses the DNS challenge, and follows CNAMEs - I added it to lego since the support only followed one CNAME, I made it follow up to 50.
Good luck using those certs now - k8s isn’t super elegant