← All posts
Engineering7 min readMarch 28, 2026

Auto-SSL for custom domains: how we issue certificates in 30 seconds

Customer adds order.theirrestaurant.com, gets a working SSL cert by the time they finish their next sentence.

By Osama Khan

The user experience

1. Owner types their domain in our dashboard 2. We give them a CNAME record to add at their domain provider 3. They add it. DNS propagates in 1–60 minutes. 4. Owner clicks "Verify" 5. We run `certbot certonly --webroot` programmatically 6. SSL cert issues + LiteSpeed config updates + reload 7. Total wall time from click: ~30 seconds

The challenge: shared catch-all vhost

Our LiteSpeed setup has ONE catch-all vhost that serves the customer ordering page for every domain. The cert renewal needs to serve `.well-known/acme-challenge/` from a specific webroot.

We point the webroot at `/home/smartrestro.pro/public_html` and ensure no vhost rewrite intercepts that path. Result: any new domain works without changing infrastructure.

Auto-renewal

A daily cron runs `certbot renew --quiet --post-hook "lswsctrl restart"`. Certbot checks every cert; only renews ones within 30 days of expiry. Post-hook reloads LiteSpeed.

This means new client domains auto-renew forever without manual intervention. We added this last week after realizing one cert was about to expire silently.

What can go wrong

  • DNS not yet propagated: we retry 3 times, 60-second intervals
  • Customer's domain pointed at wrong IP: error message tells them what to fix
  • Rate limit (Let's Encrypt allows 50 certs per registered domain per week): never hit yet, but we log it

The lesson

Make the hard things one-click. SSL used to be a Friday afternoon project. Now it's faster than ordering coffee.

Enjoyed this?

More writing from inside our build.