Support .well-known delegation when issuing certificates through ACME

[babolivier]

Fixes #4552

[codecov-io]

Codecov Report

Merging #4652 into develop will decrease coverage by 0.07%.
The diff coverage is 16.66%.

@@             Coverage Diff             @@
##           develop    #4652      +/-   ##
===========================================
- Coverage    75.27%   75.19%   -0.08%     
===========================================
  Files          338      340       +2     
  Lines        34626    34721      +95     
  Branches      5670     5679       +9     
===========================================
+ Hits         26064    26109      +45     
- Misses        6966     7009      +43     
- Partials      1596     1603       +7

[hawkowl]

I feel like this should be manually configured, not done automagically?

[babolivier]

I'd figure it should be done "automagically", especially since the original issue was mentioning "support .well-known delegation from 1708 and ACME", which I understand as "synapse checking whether there's a .well-known in order to know which domain it should issue a cert for".

[richvdh]

I'm with hawkowl. It should be explicit. The .well-known check, if we do one at all, should just be a sanity-check, but I think it's overkill.

[richvdh]

config opt pls

[erikjohnston]

FWIW I think it should be a config option too, otherwise weird things will happen if we start it up while .well-known is down (e.g. due to restart server at the same time). In general its good if you can always bring up a service, even when dependencies might be temporary down, otherwise restarting the service becomes a lot scarier as you don't know if it'll actually come back.

[babolivier]

Roger that, making it a config parameter. Following @erikjohnston's comment I'll remove the well-known check entirely.

fixed

[richvdh]

lgtm otherwise