this is a general dev question for anyone who’s done this before: say we have a web app, app.myapp.net, which a user can use a CNAME to point their own domain to. I imagine this would yield an SSL error since the SSL for *.myapp.net doesn’t match the user’s CNAME. I assume this means we’d have to build a back-end process that generates an SSL cert for every user? anyone have experience with this kind of thing?

Yeah this is a bit of an annoying thing to setup but is a really nice experience for the user. If you want something out the door you can refer your customers to https://cloak.ist/ where they can put anything behind their own URL. If you want to do it yourself you'll need to initiate an SSL certificate flow with letsencrypt and give your customer the dns entries they require to prove ownership of the domain. Once they put it in letsencrypt should pick it up and give you a certificate This is a good concept for a simple saas product though, an API to add this feature to your app with little work

Yeah, I’d probably want to build it ourselves.. maybe a 2-3 day task or something

As long as you’re using either ALB’s or CloudFront distributions in AWS, then ACM will likely be much easier than building an automated flow with LetsEncrypt. Though both should be possible.

nice! I figured as much. every service has an API, so it should be doable. and no, I don’t need to use the certs anywhere else. it’s literally just letting a customer point their domain to our web app