Automate generation of certificates using Lets Encrypt

[einari]

When setting up an ingress and associating a domain with we should automatically at that point use Lets Encrypt and ACME to generate a new certificate.

In addition to this we should have a job that runs on a regular cadence to renew certificates that will soon expire.

For verification of the the origin and domain association, we should expose a route that is unprotected that we could expose from our Ingress middleware.

[einari]

The process should be:

• When setting up a domain for an ingress, first issue a self signed certificate. Read more here. The certificate goes into the Managed Environments certificate store.
• Use HTTP-01 challenge to generate new certificate. Look at the following client.

We would need to take the token generated during the ACME process and put it on the file share for the Ingress. The ingress middleware would serve the token at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. Once we get the certificate we would replace the self signed certificate in the certificate store.

[einari]

• [ ] Exclude the .well-known path to the ExcludedPaths
• [ ] Configure nginx.conf for ingress to redirect .well-known path to the ingress middleware
• [ ] Add self signed certificate if there is no certificate already
• [ ] Start ACME challenge - upload generated token to file share
• [ ] Take resulting certificate and add it to the certificate store

For renewals we need a reminder that reminds us ahead of the expiry of the certificate and we perform the last 2 steps of the list above.

[einari]

For inspiration: https://dev.to/shibayan/how-to-quickly-setup-a-lets-encrypt-certificate-in-azure-container-apps-3nd7

[einari]

Look into the API for how a renewal is done