Skip to main content

Generating automatic ssl for custom domains on the fly

· 2 min read

Easy Startup analytics provides users the ability to have

  1. Unlimited Status Page for monitoring on a custom domain.
  2. Website Analytics capturing using custom domain for aggressive ad blockers who unknowingly block our privacy first website analytics.

So to achieve this goal I searched and found a few solutions.

  1. Amazon AWS Certificate Manager (Need to pay for load balancer)
  2. Cloudflare SSL-FOR-SAAS ($2 per website)
  3. OpenResty Lua with Nginx (Not actively maintained open source)
  4. Caddy (Open source and beautiful and easy to use, perfect for my use case)

So the choice was obvious, I went with Caddy which does exactly this out of the box using lets encrypt certificates. It auto renews, generates SSL certificates on the fly, serves static files and acts as reverse proxy.

Steps to implement

Follow the following steps to get a working installation on Ubuntu. We will be using the On Demand TLS feature of Caddy as documented here. Another amazingly simple guide to enable is available on caddy community.

1. Install Caddy on Ubuntu

Caddy's documentation have specified the steps for installation here. I just copied and ran these steps right away on my server.

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf '' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
curl -1sLf '' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

If you are using cloudflare DNS, you need to create * A record and AAAA record which points to your caddy server ip address and make sure to disable PROXY and make it DNS only.

2. Setup caddy config

on_demand_tls {
ask http://localhost:8081/api/private/check
interval 2m
burst 20

https:// {
tls {

Caddy will hit your ask endpoint with a GET request and domain query param. And you have to return with 200 status code to allow it to create ssl certificate. This is required to prevent abuse else anybody can hit your endpoint and a new certificate will get generated which can get your server blacklisted from lets encrypt for abuse. So please make sure to have all the proper checks before deploying in production.

And voila your caddy config is ready to serve SSL on custom domains for all requests.