Let's Encrypt

Let's Encrypt is a non-profit Certificate Authority that issues TLS certificates for free. You can mint a cert in about 30 seconds with an automated client. It's the reason your SaaS doesn't have a $20K/year Comodo bill.

How it works at a high level

1. Your edge calls Let's Encrypt's API saying "I want a cert for acme.com."
2. Let's Encrypt responds with a challenge: "Prove you control this domain. Either put this token at a specific URL on the domain (HTTP-01), or publish this token as a TXT record (DNS-01)."
3. Your edge satisfies the challenge.
4. Let's Encrypt verifies the challenge passed.
5. Your edge submits a Certificate Signing Request.
6. Let's Encrypt returns a signed certificate, valid for 90 days.

Rate limits (the bit that bites you at scale)

If you're running multi-tenant SaaS with thousands of custom domains, these are the limits to know:

• 50 new certs per registered domain per week (per FQDN). Mostly irrelevant for SaaS since each tenant has their own domain.
• 300 new orders per account per 3 hours. This is the one that hurts.
• 5 duplicate certs per week (same exact set of hostnames). Doesn't usually matter.

The 300-per-3-hours limit means if you onboard 500 customer domains in a single afternoon, you'll hit a rate-limit wall. Solutions:

• Stagger issuance over time.
• Run multiple ACME accounts and rotate.
• Use a paid CA (DigiCert, GlobalSign) above a threshold.

Why every custom-domain SaaS uses it

Because the alternative is paying $50–$200 per domain per year, multiplied by thousands of customer domains. The math doesn't work without a free CA.