Let’s Encrypt integration

[swalkinshaw]

Issue: #328

This PR adds Let's Encrypt integration. It will automatically create a valid, production-ready SSL certificate through LE and configure your WP site to use it.

These certifications expire every 90 days so there's a cronjob to renew them monthly.

There's a new provider option under the ssl object for each WP site. Valid options are:

• self-signed - used in development
• manual - when you already have a key and cert you just want copied over
• letsencrypt - invokes automatic LE certificate flow

Testing

• You need a publicly accessible server
• Make sure a WP site has

ssl:
  enabled: true
  provider: letsencrypt

• Optionally remove letsencrypt_ca from group_vars/all/main.yml if you want a real production cert. Otherwise you are using Let's Encrypt's staging server and the CA isn't verified in browsers. Note: LE production has rate limits. So don't exhaust the limit just testing unless you need a real cert.
• Provision server as usual

Todo:

• Renewal script does not generate bundled certificate
• Improve idempotence
• Only run letsencrypt (toggle via variable)
• Add the "reverse" (www or non-www) hosts for multi domain certs
• More testing
• Set default CA to production
• Docs - https://github.com/roots/docs/blob/ssl-docs-add-providers/trellis/ssl.md

[richvida]

Great work!

[swalkinshaw]

Updated this with ea20374 thanks to @fullyint so that the manual letsencrypt_enabled variable isn't needed anymore. We'll automatically detect if any WP sites use letsencrypt.