The Hund Blog

Multitenancy & Let’s Encrypt

In this blog post, I will discuss Hund's method for automatically securing customer's custom domains.

Traditionally, providing TLS/SSL certificates for clients' custom domains has been a difficult task for multitenant services. While many services do allow customers to use a custom domain, this process is usually slow and manual, and sometimes requires customers to provide a certificate.

We saw the potential to smooth this process out by removing the majority of customer involvement, and automating the process on our part. So with the help of Let's Encrypt, Hund can now automatically issue a TLS certificate for status pages that use a custom domain:

custom domain demonstration

Initially, this may seem like an easy feature to implement. However, being a status page provider with infrastructure spread across several availability zones, domain validation is difficult as every web server must respond to a Let's Encrypt validation challenge within seconds of a custom domain request.

Our solution was to develop a microservice, named certmanager, that handles all of the heavy-lifting involved in the creation, deletion, and renewal of certificates. This microservice keeps certificate logic away from our main application, reducing certificate management to simple adapter calls. Furthermore, certmanager uses a network file system to distribute challenge files, certificates, and metadata across our infrastructure.

After a customer sets a custom domain via our dashboard, certmanager will validate domain control by creating a challenge file provided by the CA, which is immediately available on all web servers for the CA to access. Next, we issue a CSR (using a newly generated 4096-bit RSA private key) to Let's Encrypt. Finally, Let's Encrypt provides us with a newly issued TLS certificate, effectively securing the customer's custom domain.

Hund is proud to be among the first few companies, such as Shopify, that are now leveraging Let's Encrypt to automatically secure customer's branded domains. We encourage other SaaS companies to consider offering free Let's Encrypt certificates in this fashion.