
Show HN: My Weekend Project, AutoSSL - Sandeepg33k
https://autossl.co
======
Sandeepg33k
Creator here. While building my current startup, we had this requirement to
offer custom domains to our users. We also wanted to serve those domains over
HTTPS. After days of searching and brainstorming, I had no luck! I found a
couple of potential solutions but they were either too expensive or too
complicated.

So, I spent a few weeks building an in house solution that automates the whole
process of provisioning and renewing SSL certs for our users. It involves
Let's Encrypt and has been working great so far!

Last week I thought of offering this as a SaaS product. With the help of my
friend, I coded an app where customers can add their domains in a few steps.
It's live at [https://autossl.co](https://autossl.co). Once a domain is added
to our system, we generate a CNAME record for that domain. When the domain is
accessed for the first time, we generate an SSL cert on demand through Let's
Encrypt and renew it every 3 months. I also expose APIs to add domains to our
system. So, if you are a SaaS company offering custom domains to your
customers, you can completely automate SSL issuance in an easy and cost
effective way.

I think it has got some potential. What do you think?

~~~
RachelF
Cool website for a weekend project - what tools did you use to make it?

~~~
Sandeepg33k
I am using Caddy internally in fleet mode and Node.js. Caddy takes care of SSL
negotiation, provisioning, and renewals. My Node.js app sits behind Caddy and
proxies requests to the origin. I am trying to create an edge network where
SSL is negotiated at a location that is closest to the users. Caddy is battle-
tested, but managing multiple Caddy servers, monitoring them and backing up
the certs can become cumbersome. That's the reason I am trying to automate the
whole process for businesses.

------
laken
The branding is confusing. AutoSSL is a very popular feature with WHM/cPanel,
so many shared hosting providers offer their "AutoSSL" service.

Additionally, Let's Encrypt is a partner with cPanel's AutoSSL, so even more
confusion may arise out of that.

For example:
[https://www.google.com/search?q=autossl](https://www.google.com/search?q=autossl)

------
gramakri
I like the idea. My startup started with managed hosting. We use to provide
subdomains of customer.company.com domain for each customer to quickly onboard
users. Later, when the customer was ready to move to their own domain, we had
to ask them to setup A records or provide DNS credentials. The tech stack
wasn't too hard for us but hand holding each customer to get the custom domain
working was the pain point.

* Will AutoSSL also provide a way for the customer to login and provide them instructions on how they can setup the domain on their side?

* Some of our customers had CAA records preventing LE from working. This is about informing the customer that this record exists and what the possible alternatives are.

* This was mentioned elsewhere but AutoSSL is a cPanel feature. So, I would consider rebranding.

* What are the proxying limitations? Does it support Websockets? How much load can it handle?

~~~
Sandeepg33k
Thanks!

> Will AutoSSL also provide a way for the customer to login and provide them
> instructions on how they can set up the domain on their side?

Yes, I expose two APIs - add and delete. When your customer adds a domain, you
can hit our API to whitelist it. The API responds back with CNAME
instructions. Your app just needs to pick it up and display it to the users.

> What are the proxying limitations? Does it support Websockets? How much load
> can it handle?

I have 5 servers right now that handle TLS and fetch content from the origin.
I just did a load testing with about 20K requests per minute, and it did fine.
Will do more tests as I move forward. But before doing anything just wanted to
know if anyone is actually going to use the product. :D

------
t0astbread
That's an interesting fresh idea in the "auto-renew TLS certs" market. (And
the website looks superb!) A few thoughts:

\- If I were a service provider I wouldn't wanna be dependent on a third party
service for something as basic as TLS certs. I'm not an expert in your domain
but to me this looks like something that could happily coexist as a service
with a self-hostable (possibly FOSS) option (since the convenience advantage
of a service is still there).

\- Security: Can you read my customers' traffic? (A self-hosted option could
also help with this for high-sensitivity use cases).

\- What about rate limits? My customers could be in a situation where the
standard LE rate limits are already pretty tight. Can I (and subsequently my
customers) see/manage how much quota AutoSSL is using?

~~~
AtlasBarfed
COmpanies buy "security" "turnkey" solutions all the time, why would this be
anything different?

All that networking hardware terminating SSL between external and internal
traffic can also read all a company's traffic, but I guess Cisco or some
chinese manufacturer is more trustworthy...right?

... not affliated with the OP at all.

Some of the security groups at major fort-500 companies I've worked at were
run by people that could powerpoint well, graduated from surfing suitcase
schools, and showed no awareness of even mass media security failings
(heartbleed).

You'd think these divisions would have extremely smart PhD level security
folks that could follow the basics of what the attacks used, but they were all
just people that did vendor RFPs, made dumb policies (8 char max password,
only use approved versions of software that were already out of date and had
known vulnerabilities, internal password change site wouldn't show in Chrome
because the cipher suite was hopelessly compromised)

~~~
t0astbread
A difference between on-prem solutions like networking hardware and outsourced
services is that the on-prem solution doesn't phone home (at least not the
processed data hopefully).

Different idea though: Shouldn't GDPR data processing agreements cover these
sorts of cases?

------
francislavoie
So, a few comments:

\- Branding as SSL is confusing, SSL is dead. TLS is the replacement.

\- SaaSes can just front their apps with
[https://caddyserver.com/v1/docs/automatic-
https](https://caddyserver.com/v1/docs/automatic-https)

\- Writeup of a SaaS using Caddy for this instead:
[https://ohdear.app/blog/how-we-used-caddy-and-laravels-
subdo...](https://ohdear.app/blog/how-we-used-caddy-and-laravels-subdomain-
routing-to-serve-our-status-pages)

~~~
gramakri
There's also
[https://github.com/containous/traefik](https://github.com/containous/traefik)
(caddy is awesome too)

------
coderobe
>SSL is terminated at an edge location that is closest to the users.

So this is routing plain text http for most of the connection and at the same
time giving the managed _edge location_ direct access to the traffic _and_ a
valid tls cert for the domain? Isn't that mostly snake oil then, as the secure
connection never originates from the target service?

~~~
Sandeepg33k
Hi.. The TLS is terminated at the edge, and from that point we fetch the data
from origin server. As long as the origin has SSL, the communication is secure
end-to-end.

~~~
philsnow
you're talking about "piecewise end-to-end".

the "end"s are the _browser_ and the _origin_, and if there isn't a single
secure channel that goes all the way between them, that's not "end to end".

I mean take the "piecewise" argument to its natural conclusion.

If the reason it's okay for you to be in the middle is that you're going to
ensure that your request to origin is also encrypted, why should you be the
only party in between that can decrypt the contents of the connection?

Why not let the ISP also decrypt the contents? What about the layer 3
interconnect providers? How about your cable modem and your router (they're
_probably_ patched 'enough' that it's safe to let them see your plaintext).

I'm harping because misuse of the term "end to end" is _actually dangerous_ to
real people.

All of this is to say nothing of the fact that when you allow "middle-boxes",
the client no longer has control over the ciphers that are used for the end-
to-end connection, so they lose control over perfect forward secrecy.

~~~
philsnow
you might say,

> but this is what cloudflare does!

yes, and it already caused one of the worst breaches in the short history of
the internet
[https://news.ycombinator.com/item?id=13718752](https://news.ycombinator.com/item?id=13718752)

------
gumby
“vanity” domain? Only big corps are real; all else is vanity?

Seems like yet another betrayal of the end-to-end principle (as is this
product for that matter)

~~~
AtlasBarfed
Come on, all domains are vanity.

~~~
gumby
Good point: we can’t use IP addresses as machines may move but domain names
should have been generated at time of request, _à la_ lisp gensyms: G001.com,
G002.com. Perhaps randomize the numerical component to avoid gaming the
system.

Is it too late to make this switch? Names are sort of like that in China.

~~~
robjan
Names are like that in China because they are puns and rhymes for Chinese
words. It's easier to remember for people who don't know pinyin and quicker to
input.

------
mantoto
I would have said that the companies who would most benefit of this is also be
the company who should not outsource this.

------
Phillips126
Possible bug report:

From the home page, I click the "Features" link, then press the back button on
my browser. It returns a blank white page with the text: "An unexpected error
has occurred." No other links seem to do this (probably has something to do
with the hash url).

I'm on Windows 10 using the latest Chrome.

------
deedubaya
Interesting niche. I wouldn't use it because I don't want my customer's web
traffic dependent on your edge servers being up, available, and not overloaded
with the traffic of your other customers.

------
peter_d_sherman
Great idea! Wishing you a lot of luck!

------
thrownaway954
"So, I spent a few weeks building an in house solution". That's not a weekend
project. So you just stated it was get more attention for yourself... that's
little dishonest isn't it?

~~~
Sandeepg33k
We have actually been using it for our existing product
[https://hashnode.com/devblog](https://hashnode.com/devblog). So, I thought
why not let everyone use it? That's when I spent my weekend coding an app that
lets customers sign up and add their domains. :)

------
kissgyorgy
This makes no sense. TLS termination should be done locally at the site, not
at some random server on another end of the internet. It doesn't make any
website safer, it is literally a man-in-the-middle.

~~~
pfundstein
Also, and not that a bit of competition is bad, but doesn't Cloudflare already
provide this service?

~~~
lpellegr
Yes, starting at $5000 per month...

