[Deployment UX] Investigate ogn.app wildcard on CDN

[mikeshultz]

Investigate if it's possible to create a wildcard cert for the default subdomains(e.g. ogn.app for our mainnet backend). This would save time waiting for SSL provisioning for a user's first deployment.

Replaces #117

[mikeshultz]

Google-managed SSL certificates don't support using wildcards

From the GCP load balancing documentation

[nick]

Can we generate one manually and use that?

[mikeshultz]

May be do doable via self-managed certs but not clear what needs to be done for that yet.

I'm just leaving notes in the issue here as I go.

[mikeshultz]

Looks like we're going to need to build a custom integration with Let's Encrypt for this using their ACME protocol/REST API. There doesn't appear to be any friendly nodejs clients right now. The process will likely go something like this during node setup:

1. Configure network settings including node domain
2. Configure DNS, or at least verify control of previously mentioned domain
3. Start ACME process, get DNS verification token (bit of guesswork here, need more research)
4. Update DNS with verification token to prove control
5. Issue cert request
6. Store key+cert into encrypted network config on backend
7. Create sslCertificates object in GCP for the wildcard cert for domain using predictable name and the generated cert
8. When creating new CDNs, use wildcard sslCertificates cert for *.[domain]

This will also need a Bull queue job to run every N minutes/hours to deal with renewal.

Going to try and press through #697 first and return back to this as this won't be a quick & simple solution.

[mikeshultz]

There do appear to be standardized ACME clients, though, which should speed up implemetntion a bit, as long as they support v2 with DNS.

• https://github.com/publishlab/node-acme-client
• https://github.com/buschtoens/acme-v2

[micahalcorn]

@mikeshultz is this something you're working on or finished? If not, shall we move it to the backlog?

[mikeshultz]

Backlog, I guess