Automate SSL Cert infrastructure

[ryanaslett]

Per #4029 Our current paid SSL certs are valid until 2027, however, they will still need to be manually replaced everywhere, and will need to be funded in the future to ensure continuity of service.

We can eliminate the maintenance and cost of keeping our certificates current by switching over to an ACME based solution (https://acmeclients.com/), giving us free, and automated replacements.

In general we should be using certbot everywhere we can, and fall back on acme.sh if there are any environments where certbot is unsupported.

unofficial-builds is already using this, so the pattern is easily replicable for our other services.

[mhdawson]

If this is the approach recommended by the Foundation, makes sense to me so +1

[iuuukhueeee]

Having a way to automate this would saving us so much time, we certainly would need this.

[richardlau]

unofficial-builds is already using this, so the pattern is easily replicable for our other services.

We (re)discovered in today's Build WG meeting that iojs.org is also using certbot, although it looks like this was never added to the Ansible scripts: https://github.com/nodejs/build/blob/main/doc/non-ansible-configuration-notes.md
(As an aside, the dist.libuv.org references are redundant -- we are no longer hosting downloads for libuv).

[richardlau]

See also https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days which would imply moving to some sort of automation if the certificates have to be replaced more frequently.

[richardlau]

Per #4029 Our current paid SSL certs are valid until 2027, however, they will still need to be manually replaced everywhere, and will need to be funded in the future to ensure continuity of service.

See also https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days which would imply moving to some sort of automation if the certificates have to be replaced more frequently.

FWIW Sectigo now offer an ACME Certificate-as-a-Service (CaaS) for automation. Although I assume our preference if we're making changes is to align with Foundation recommendations/best practices.