Limitations with respect to wildcard certs or domains per app?

I’m working on an app that automatically assigns subdomains to projects that people create through it (like Slack does with my-slack-org-name.slack.com subdomains for Slack orgs). People can also assign custom domains to projects they create on the app. I’m trying to evaluate which Elixir hosting service to use it on based (in part) on how easy/difficult it is to handle setting up custom domains and subdomains.

Heroku has a limit of 1000 custom domains per app, which makes it a non-starter for my project.

Gigalixir doesn’t limit the number of associated domains, except for adhering to Let’s Encrypt’s rate limits, and does let you assign them via an API, but for wildcards you have to provide certs yourself and contact them to get them setup — wildcard certs can’t be created via the API.

It looks like fly.io’s API lets you add custom domains including wildcards via the API. Is that correct? And are there limits to the number of domains that can be associated with a specific app?

Fly will happily vend wildcard certs and terminate TLS on your app’s behalf.

(Note: I haven’t tried those steps myself, but they seem pretty straight-forward. We instead vend wildcard certs from ZeroSSL and terminate TLS ourselves. How are you managing cert files with Fly?)

  1. Create a fly-app.
  2. Update DNS A / AAAA records (you want to generate certs for, say fly.domain.tld and *.fly.domain.tld) to point to your fly-app’s IPs fly ips list -a <fly-app-name> (fly uses ALPN challenges to procure certs?).
  3. run flyctl certs create fly.domain.tld and flyctl certs create *.fly.domain.tld
  4. Profit?

Ref: SSL for Custom Domains

Wildcard cert for *.fly.domain.tld can serve TLS for xyz.fly.domain.tld / 123.fly.domain.tld / <upto-any-63-chars>.fly.domain.tld but not for fly.domain.tld or abc.domain.tld or xyz.123.fly.domain.tld.

Single hostname cert for fly.domain.tld will serve TLS for fly.domain.tld alone, and nothing else. I am not sure how many single hostname certs fly allows per-app, but you’d not want to vend very many single hostname certs, anyway (given the logistics of it all).

Up to 10 fly-managed single hostname (dns name, ex: fly.domain.tld) certificates are free. Fly-managed wildcard certs (ex: *.fly.domain.tld) cost $2/mo.

2 Likes

@ignoramous posted a great answer. To add on, you can create an unlimited number of certificates on your Fly app. We can handle millions. This is part of why we have a certificate fee, it makes it very easy for us to justify scaling the certificate system as big as it needs to go.

2 Likes

That is great to hear! I just learned I was actually wrong about Gigalixir not having a cap on the number of custom domains you can have, so I’m pretty sure I’m gonna be migrating to Fly. Really appreciate the clarity!

1 Like