HTTPS and LE Challenges

[patricoferris]

@hannesm has left some valuable feedback on the old PR that added some LE logic (not currently turned on in production). I don't want to lose the feedback from https://github.com/ocaml/v3.ocaml.org-server/pull/182#issuecomment-1013262308 so I'm creating an issue and copying the feedback here. Thanks @hannesm!

Hmm, I'm not entirely sure about Dream and let's encrypt integration -- a sustainable way would be if there's no change / redeploy needed when the certificate expires. To achieve that, I'd approach this as follows:

• use the ALPN challenge from let's encrypt (to free the path of HTTP requests are not upgraded to HTTPS #81 and just redirect all HTTP requests to HTTPS)
• somehow allow in dream that an already established TLS socket (+ALPN string) is used
• a Lwt_engine.on_timer that whenever the certificate is about to expire (5 days earlier, ..) pulls a new one from let's encrypt and directly uses it (for new connections)
• the above could avoid any restarts / termination of active connections... very similar to how unipi and tlstunnel are doing it...

Ultmately, integrating let's encrypt into dream makes very good sense. Esp. now that dream contains a http client implementatio as well :)

[tmattio]

This needs to be implemented upstream. We will deploy the server without a reverse proxy once we Dream supports LE certificates provisioning.