Auto-SSL for custom domains: how we issue certificates in 30 seconds
Customer adds order.theirrestaurant.com, gets a working SSL cert by the time they finish their next sentence.
By Osama Khan
The user experience
1. Owner types their domain in our dashboard 2. We give them a CNAME record to add at their domain provider 3. They add it. DNS propagates in 1–60 minutes. 4. Owner clicks "Verify" 5. We run `certbot certonly --webroot` programmatically 6. SSL cert issues + LiteSpeed config updates + reload 7. Total wall time from click: ~30 seconds
The challenge: shared catch-all vhost
Our LiteSpeed setup has ONE catch-all vhost that serves the customer ordering page for every domain. The cert renewal needs to serve `.well-known/acme-challenge/` from a specific webroot.
We point the webroot at `/home/smartrestro.pro/public_html` and ensure no vhost rewrite intercepts that path. Result: any new domain works without changing infrastructure.
Auto-renewal
A daily cron runs `certbot renew --quiet --post-hook "lswsctrl restart"`. Certbot checks every cert; only renews ones within 30 days of expiry. Post-hook reloads LiteSpeed.
This means new client domains auto-renew forever without manual intervention. We added this last week after realizing one cert was about to expire silently.
What can go wrong
- DNS not yet propagated: we retry 3 times, 60-second intervals
- Customer's domain pointed at wrong IP: error message tells them what to fix
- Rate limit (Let's Encrypt allows 50 certs per registered domain per week): never hit yet, but we log it
The lesson
Make the hard things one-click. SSL used to be a Friday afternoon project. Now it's faster than ordering coffee.