Edge TLS at scale: how Caddy on-demand kept us out of Let's Encrypt jail
When your customers add hundreds of custom domains a week, the path through the LE rate-limiter is not the marketing tour.
Let's Encrypt is generous, but its rate limits are real: 50 certificates per registered domain per week, 5 duplicate certificates per week, and 300 pending authorizations. None of those numbers is hostile to a single application. All of them are hostile to a multi-tenant PaaS that lets customers add custom domains at click-speed.
Caddy's on-demand TLS solves this with a simple ask-before-issue handshake. When the first TLS request for an unknown hostname arrives, Caddy pauses, asks our control plane 'is this a real customer domain?', and only on a yes does it kick off the ACME flow. The 'ask' endpoint is an internal API that consults the same domains table the dashboard writes to. Bad guesses, scanners, and stale DNS records get a polite no — and never touch the rate-limit budget.
We layered two extra safeguards. First, a redis-backed circuit breaker that backs off if we hit transient ACME errors. Second, ALPN-01 + HTTP-01 fallback so a single broken DNS record on a customer domain does not block the rest of the issuance pipeline. The result: 99.97% of new domains have a working cert within 15 seconds of DNS propagation, and we have never been rate-limited.
Ready to move off a hosting platform that's holding you back?
Free migration, 7-day trial, no credit card required. If your site loads slower on CubitRace than your current host, we will refund you in full.