Skip to Content

Glossary

On-demand TLS (ACME automation)

On-demand TLS is a method for issuing an HTTPS certificate the first time a hostname is actually requested, instead of provisioning every certificate ahead of time. The edge asks an authorization step whether the incoming hostname is allowed, and if it is, it runs the ACME protocol against a certificate authority such as Let's Encrypt to obtain a certificate on the spot, caches it, and serves the connection over HTTPS.

What does on-demand TLS mean?

A traditional TLS setup issues certificates in advance. You know your hostnames, you request certificates for them, and you install them before any traffic arrives. That works when the list of hostnames is small and stable. It stops working when your customers keep adding their own domains, because you cannot pre-issue a certificate for a hostname you have not seen yet.

On-demand TLS flips the timing. Certificates are issued lazily, at the moment of the first TLS handshake for a hostname, rather than eagerly at deploy time. When a request arrives for customer.example.com, the edge checks an allow decision, issues the certificate if the hostname passes, and remembers it for future requests. Nothing has to be provisioned by hand.

What is ACME automation?

ACME is the protocol that certificate authorities like Let's Encrypt use to prove that you control a hostname and to hand you a certificate for it. ACME automation means a machine, not a person, runs those steps: it requests an order, answers the challenge (usually an HTTP or DNS check), collects the signed certificate, and schedules a renewal before the certificate expires.

For a single site, you can run a tool like an ACME client on a cron job and forget about it. For a platform serving thousands of customer domains, ACME automation has to run continuously, in parallel, and it has to make a per-hostname decision every time a new domain shows up. That is the job on-demand TLS performs at the edge.

Why is automating Let's Encrypt for customer domains hard?

The mechanics look simple until you run them at scale. A certificate authority enforces rate limits, so a burst of new domains can hit a ceiling and stall issuance if requests are not paced. Challenges fail for ordinary reasons: DNS has not propagated, the customer pointed the record at the wrong target, or an apex record cannot be a CNAME. Each failure needs a retry policy that backs off instead of hammering the authority.

There is also an abuse surface. If your edge issues a certificate for any hostname that resolves to it, an attacker can point a domain at your infrastructure and make you request certificates on their behalf. So the allow decision has to be authoritative: only issue for hostnames your platform actually recognizes. And renewals never stop. Every certificate expires, so you are running a background loop that must keep every domain current, or connections start failing with expiry errors.

How does Custom Domain manage issuance and renewal?

Custom Domain runs on-demand TLS at the edge for you. When a customer domain is added, the platform detects the customer's DNS host, writes the records, and verifies ownership. The first time a verified hostname is requested, the edge issues a certificate through ACME, caches it, and serves HTTPS. Your customer never opens a DNS panel and you never touch an ACME client.

Issuance fails closed. A hostname that has not been verified does not get a certificate, which keeps the abuse surface shut. Rate limits are respected, challenge retries back off, and renewals run automatically in the background so certificates refresh before they expire. This same behavior is what lets platforms serving AI agents and end-customer domains attach a domain and have it working over HTTPS in minutes rather than days.

Frequently asked questions

What is on-demand TLS?

On-demand TLS issues an HTTPS certificate the first time a hostname is requested rather than provisioning it in advance. The edge checks whether the hostname is allowed, runs ACME to obtain a certificate, caches it, and serves the connection securely.

How do you automate Let's Encrypt for many customer domains?

You run ACME automation at the edge with a per-hostname allow decision. Each new domain triggers issuance on first request, renewals run on a background loop, and rate limits and challenge failures are handled with pacing and backoff so issuance stays reliable across thousands of domains.

What does "fail closed" mean for certificate issuance?

Fail closed means a hostname that has not passed verification does not get a certificate. This prevents anyone from pointing an arbitrary domain at your edge and forcing certificate requests, keeping the issuance path safe from abuse.

Do certificates renew automatically?

Yes. Custom Domain runs renewals in the background so every certificate refreshes before it expires. There is no cron job to maintain and no manual step, so connections keep serving valid HTTPS without intervention.

Is ACME for SaaS different from a single-site setup?

Yes. A single site can pre-issue one certificate and renew it on a timer. A SaaS platform must issue on demand for hostnames it has never seen, decide per hostname whether issuance is allowed, respect authority rate limits, and keep thousands of certificates renewed at once.

Related terms