teleclimber
commented
2 years ago Note this may have a big impact on how DS can be put behind a reverse proxy. Somehow you need to let the reverse proxy know about the new certs when they are generated. This is definitely going be different for each proxy.
Right now I tend to use HAProxy which should have pretty good support to make this happen, but still need to wire it up, and someone using not-HAProxy has nothing.
Also consider CaddyServer, which actually may be able to do this all? Maybe with a little help? Worth investigating.
Right new we're using a wildcard cert for entire domain that can be used as appspaces. But renewing wildcard domains on letsencrypt is a manual process, and it's annoying as heck. If we could generate and update one cert per appspace we'd avoid this problem.
Look at https://github.com/caddyserver/certmagic for help, or its underlying library https://github.com/mholt/acmez.
Also potentially helpful: https://github.com/go-acme/lego