This article introduces a sequence of more technical articles here on the Blog, articles I want to post more often.

I will divide this article into three parts: problem, search, and solution.


I wish Changelogfy users could create their changelog pages in their custom domains, such as

But the address that the application creates is as follows https://{subdomain}

Now you might have thought, but this is very simple, just make a note of a Cname record from to https://{subdomain}

And you're right, that would work if you didn't need SSL encryption.

Google Chrome, the world's most widely used browser since its version 68 of 2018, is forcing websites to have the https protocol.

Search for the solution

The main initial difficulty was that I didn't even know what to look for, as I was unfamiliar with the problem.

It took many days of reading and searching the internet for content until I began to understand the problem and what possible solutions I would adopt.

To give you an idea, I even thought that the customer should use a service like CloudFlare for example to generate SSL certificates.

But thanks to my persistence I found some solutions over the web.

The solution I most identified and used was, but there are others like Shopify for example.


As I mentioned in the previous phase I chose to use the method, it consists of creating a PROXY server in front of our servers.

The server used was OpenResty with Lua Resty Auto SSL enable, i will explain how it works:

Every time a Changelogfy client enables a custom domain in the admin panel, this information is saved to our databases and also to a permanent REDIS server.

When a visitor first accesses your domain for example, openresty will check on redis if your domain is really a valid changelogfy customer (business rule), if this condition is true it will advance to the next stage.

SSL certificate creation

Here OpenResty also require a redis connection, only this time it checks whether the domain already has a certificate or not.

If the domain does not already have a valid SSL certificate it will be created and saved in the Redis records, so you will be able to perform backups, migrate from server, among other things.

Certificate Renewal

Another important point is certificate renewal, with openresty you can configure the timeout you want to renew existing certificates.

For example, the default expiration value for Lets Encrypt certificates is 90 days, so you can set OpenResty to renew certificates every 60 days, so you won't take unnecessary risks.

Example nginx conf at OpenResty + lua-resty-auto-ssl:

events {
  worker_connections 1024;

http {
  lua_shared_dict auto_ssl 10m;
  lua_shared_dict auto_ssl_settings 64k;
  resolver ipv6=off;

  init_by_lua_block {
    auto_ssl = (require "").new()

    auto_ssl:set("storage_adapter", "")
    auto_ssl:set("redis", {
      host = "REDIS_IP",
      auth = "REDIS_PASS",
      port = "6379"

    auto_ssl:set("allow_domain", function(domain, auto_ssl)
        local redis_connection =
        local res  = redis_connection:get(domain)

        if not res then
           return false

        if res == ngx.null then
           return false

        return true


  init_worker_by_lua_block {
  server {
    listen 443 ssl;
    location / {
        resolver;  # use Google's open DNS server

        set $path '';
        access_by_lua '
            # business logic here

        proxy_pass https://$$request_uri;

    ssl_certificate_by_lua_block {

    ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
    ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

  server {
    listen 80 default_server;
    location / {
      return 301 https://$host$request_uri;

    location /.well-known/acme-challenge/ {
      content_by_lua_block {

  server {
    client_body_buffer_size 128k;
    client_max_body_size 128k;

    location / {
      content_by_lua_block {

This was my first technical article here on the Changelogfy blog.

If you have any questions, please comment below.

See you in the next article!