Wildcard subdomains with ssl via load balancer

I am developing a SAAS platform and require a subdomain for each signup, in theory it would be possible to create a new record for each subdomain as someone signs up but this creates overhead that doesn’t exist if wildcard ssl certificates are supported.

I note from the Loadbalancer documentation they are not.

With that said, what would be your recommendation to get past this?

Please note, I am looking for a solution that doesnt require provisioning subdomains for each new sign up… Not least because of the rate limits on Lets Encrypt (50 certs a week per registered domain), we could of course use a combination of 100 names per cert to get that up to 5k a week which would probably be fine but again that is additional overhead for something which could be very simple.


Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

As per my last comment I achieved what I wanted via NGINX Ingress controller, Cert-manager and the DO load balancer.

There is an app in DO marketplace for NGINX ingress controller.

Then used Cert manager and set up an initial test as per this article:—-installing-and-configuring-cert-manager

For wild cart you need to use dns01, documentation on the cert-manager site: - config details for lets encrypt - config for DO dns01 integration. Couple of points which were not clear to me from the above are that you need to create a secret and that your api key within the secret needs to be base64 encoded. I have created a pull request to update the documentation but in case you need it before then this is an example secret:

apiVersion: v1
kind: Secret
  name: digitalocean-dns
  namespace: cert-manager
  # insert your DO access token here
  access-token: "base64 encoded access-token here"

Also, http01 confirmations can take a while so dont worry.