Use caddy's certmagic library for extensible/robust ACME handling

[techknowlogick]

Also bumps minimum required version of go.

By using certmagic we can use the same ACME library that Caddy uses. This also allows us to increase the number of ACME challenges that we can run. This PR adds TLSAPLN challenge, but in a later PR could be extended to use DNS challenges.

Additional things that could be added in a later PR are storing certs using different storage managers (such as minio, or redis).

[codecov-io]

Codecov Report

Merging #14177 (02e8c2e) into master (1722299) will increase coverage by 0.01%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master   #14177      +/-   ##
==========================================
+ Coverage   41.85%   41.87%   +0.01%     
==========================================
  Files         745      746       +1     
  Lines       79816    79827      +11     
==========================================
+ Hits        33410    33429      +19     
+ Misses      40885    40879       -6     
+ Partials     5521     5519       -2     

Impacted Files	Coverage Δ
cmd/web.go	0.00% <ø> (ø)
cmd/web_letsencrypt.go	0.00% <0.00%> (ø)
modules/avatar/avatar.go	50.00% <0.00%> (-4.77%)	⬇️
services/pull/pull.go	42.15% <0.00%> (ø)
modules/queue/workerpool.go	59.59% <0.00%> (+0.81%)	⬆️
modules/log/file.go	75.20% <0.00%> (+1.60%)	⬆️
services/gitdiff/gitdiff.go	70.93% <0.00%> (+1.93%)	⬆️
modules/charset/charset.go	70.78% <0.00%> (+2.24%)	⬆️
models/unit.go	49.31% <0.00%> (+2.73%)	⬆️
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1722299...02e8c2e. Read the comment docs.

[lafriks]

How would you use it on docker/k8s?

[techknowlogick]

How would you use it on docker/k8s?

In k8s you would use cert-manager to request LE certs, but for standard docker installs you'd set it up as before with -p 443:3000 -p 80:3080 assuming you have the redirect_port setup to be 3080

[lafriks]

How would you use it on docker/k8s?

In k8s you would use cert-manager to request LE certs, but for standard docker installs you'd set it up as before with -p 443:3000 -p 80:3080 assuming you have the redirect_port setup to be 3080

Nevermind, I somehow thought you moved out letsencrypt to other command 😅

[zeripath]

OK, so this seems great except:

• it adds a whole DNS implementation
• and another logging framework (zap)

likely other things too in the >400 files changed.

Now I think we could reasonably drop modules/log and switch to Zap and consider using the DNS implementation elsewhere for things like libravatar but we should be careful we're not adding way too much code here.

[techknowlogick]

libdns is a library for working with APIs of various DNS providers (for updating DNS records for the DNS-01 ACME challenge), so not for resolving anything. In terms of adding too much code, I agree. I'd prefer if zap weren't included at all, but most of the other code added is either golang.org/x/net/... and golang.org/x/crypto/... It sucks because technically zap isn't being used at all, as certmagic doesn't log unless it is passed the logger.

[zeripath]

I think we have to approve - it might be reasonable in future to provide a build tag that removes this functionality to reduce and remove these dependencies.