let's encrypt renewal not automated

[willk]

Our ssl certificates are not automatically renewed, which makes renewal error-prone. This is a particular problem for let's encrypt certs, as they have a very short lifetime.

previous discussion on internal bug tracker:

tophertimzen:
I can see this being a tricky one to solve for as right now we do manual cert generation for 2 reasons

1. We use openresty, which certbot doesn't support well
2. We don't want SAN leakage since we use many domains on each proxy

We have to do a manual acme challenge for each cert too, so I am unsure how we can automatically update. There is perhaps a way we can script this out to be ran on the date certs expire, but I am unsure if certbot can handle this for us.

r00tkillah:
Agreed. I have updated description and title to reflect let's encrypt vs certbot. This is a tricky problem. Propose throwing into backlog.

tophertimzen:
Current manual commands are

sudo certbot certonly --manual --force-renew -d

r00tkillah:
automated renew should also be opsec safe

tophertimzen:
Problems with rules we use in our nginx sites

1. We are redirecting all /
2. We need to add root to port 80
3. We need to let /.well-known through

[devzspy]

@0xBienCuit has elected to work on this.