[prohor]

Well, ACME would be perfect, but actually any fully automated process would do.

We provide an on-prem software available via browser. And well, we want to be very nice for our customers, so upon installation we also setup a subdomain in a domain that we control and request a certificate for that. At the end of installation we provide user with HTTPS URL where the service is available and with a valid certificate :-) Of course they can later opt-out, use their domain or certificate, but we make it work without security warnings from the first moment.

[scrollaway]

Do you have to control the domain? That's the main source of your rate limiting issues.

If you can use different domains for different customers, then you can scale that better.

Look into Caddy for automatic ACME integration: https://caddyserver.com/ - This + DNS or HTTP challenge, it sounds like this might work for you.

[prohor]

Thanks for hints. The Caddy server looks nice.

The default and simplest scenarios is that our domain is used, so that the user is not forced to setup DNS, but they can if they wish. But of course having a set of domains is an option. The problem with that is, that there is still a limited set of domains that we could use and still easily matches with the product.