cryptutil: add automatic certificate management (#644)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

docs/docs/quick-start/binary.md

@@ -13,7 +13,7 @@ The following quick-start guide covers how to configure and run Pomerium using t
 ## Prerequisites
 
 - A configured [identity provider]
-- A [wild-card TLS certificate]
+- [TLS certificates]
 
 ## Download
 
@@ -54,4 +54,4 @@ Browse to `external-httpbin.your.domain.example`. Connections between you and [h
 [httpbin]: https://httpbin.org/
 [identity provider]: ../docs/identity-providers/
 [make]: https://en.wikipedia.org/wiki/Make_(software)
-[wild-card tls certificate]: ../reference/certificates.md
+[tls certificates]: ../reference/certificates.md

docs/docs/quick-start/from-source.md

@@ -75,4 +75,4 @@ Browse to `httpbin.localhost.pomerium.io`. Connections between you and [httpbin]
 [httpbin]: https://httpbin.org/
 [identity provider]: ../docs/identity-providers/
 [make]: https://en.wikipedia.org/wiki/Make_(software)
-[wild-card tls certificate]: ../reference/certificates.md
+[tls certificates]: ../reference/certificates.md

docs/docs/quick-start/helm.md

@@ -17,7 +17,7 @@ This quick-start will show you how to deploy Pomerium with [Helm](https://helm.s
 - Install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 - Install the [Google Cloud SDK](https://cloud.google.com/kubernetes-engine/docs/quickstart)
 - Install [helm](https://helm.sh/docs/using_helm/)
-- A [wild-card TLS certificate]
+- [TLS certificates]
 
 Though there are [many ways](https://kubernetes.io/docs/setup/pick-right-solution/) to work with Kubernetes, for the purpose of this guide, we will be using Google's [Kubernetes Engine](https://cloud.google.com/kubernetes-engine/). That said, most of the following steps should be very similar using any other provider.
 
@@ -25,7 +25,7 @@ In addition to sharing many of the same features as the Kubernetes quickstart gu
 
 ## Configure
 
-Download and modify the following [helm_gke.sh script][./scripts/helm_gke.sh] to match your [identity provider] and [wild-card tls certificate] settings.
+Download and modify the following [helm_gke.sh script][./scripts/helm_gke.sh] to match your [identity provider] and [TLS certificates] settings.
 
 <<<@/scripts/helm_gke.sh
 
@@ -56,4 +56,4 @@ You can also navigate to the special pomerium endpoint `httpbin.your.domain.exam
 [identity provider]: ../identity-providers/readme.md
 [letsencrypt]: https://letsencrypt.org/
 [script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
-[wild-card tls certificate]: ../reference/certificates.md
+[tls certificates]: ../reference/certificates.md

docs/docs/quick-start/kubernetes.md

@@ -13,7 +13,7 @@ This quickstart will cover how to deploy Pomerium with Kubernetes.
 ## Prerequisites
 
 - A configured [identity provider]
-- A [wild-card TLS certificate]
+- [TLS certificates]
 - A [Google Cloud Account](https://console.cloud.google.com/)
 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 - [Google Cloud SDK](https://cloud.google.com/kubernetes-engine/docs/quickstart)
@@ -29,7 +29,7 @@ cd $HOME/pomerium/docs/configuration/examples/kubernetes
 
 ## Configure
 
-Edit [./kubernetes_gke.sh] making sure to change the identity provider secret value to match your [identity provider] and [wild-card tls certificate] settings.
+Edit [./kubernetes_gke.sh] making sure to change the identity provider secret value to match your [identity provider] and [TLS certificates] settings.
 
 <<<@/docs/configuration/examples/kubernetes/kubernetes_gke.sh
 
@@ -68,4 +68,4 @@ You can also navigate to the special pomerium endpoint `httpbin.your.domain.exam
 [identity provider]: ../identity-providers/readme.md
 [letsencrypt]: https://letsencrypt.org/
 [script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
-[wild-card tls certificate]: ../reference/certificates.md
+[tls certificates]: ../reference/certificates.md

docs/docs/quick-start/readme.md

@@ -14,7 +14,7 @@ In the following quick-start, we'll create a minimal but complete environment fo
 
 - A configured [identity provider]
 - [Docker] and [docker-compose]
-- A [wild-card TLS certificate]
+- [TLS certificates]
 
 ## Configure
 
@@ -31,7 +31,7 @@ Ensure the `docker-compose.yml` contains the correct path to your `config.yaml`.
 Download the following `docker-compose.yml` file and modify it to:
 
 - generate new secrets
-- mount your [wild-card TLS certificate]
+- mount your [TLS certificates]
 - mount your `config.yaml` [configuration file]
 
 <<< @/docs/configuration/examples/docker/basic.docker-compose.yml
@@ -58,4 +58,4 @@ You can also navigate to the special pomerium endpoint `httpbin.corp.yourdomain.
 [docker-compose]: https://docs.docker.com/compose/install/
 [httpbin]: https://httpbin.org/
 [identity provider]: ../identity-providers/readme.md
-[wild-card tls certificate]: ../reference/certificates.md
+[tls certificates]: ../reference/certificates.md

docs/docs/quick-start/synology.md

@@ -24,7 +24,7 @@ Pomerium is lightweight, can easily handle hundreds of concurrent requests, and
 - A [docker-capable] synology product
 - A [Google Cloud Account](https://console.cloud.google.com/)
 - A configured Google OAuth2 [identity provider]
-- A [wild-card TLS certificate][certificate documentation]
+- [TLS certificates][certificate documentation]
 
 Though any supported [identity provider] would work, this guide uses google.
 
@@ -46,17 +46,17 @@ Click **Create**.
 
 Set the following **Reverse Proxy Rules**.
 
-| Field                | Description |
-| -------------------- | ----------- |
-| Description          | pomerium    |
-| Source Protocol      | HTTPS       |
-| Source Hostname      | \*          |
-| Destination Port     | 8443        |
-| HTTP/2               | Enabled     |
-| HSTS                 | Enabled     |
-| Destination Protocol | HTTP        |
-| Destination Hostname | localhost   |
-| Destination Port     | 32443       |
+Field                | Description
+-------------------- | -----------
+Description          | pomerium
+Source Protocol      | HTTPS
+Source Hostname      | *
+Destination Port     | 8443
+HTTP/2               | Enabled
+HSTS                 | Enabled
+Destination Protocol | HTTP
+Destination Hostname | localhost
+Destination Port     | 32443
 
 ![Synology setup nginx reverse proxy](./img/synology-reverse-proxy.png)
 
@@ -76,9 +76,9 @@ Once the certificate is showing on the list of certificates screen we need to te
 
 **Click configure**
 
-| Services | Certificate         |
-| -------- | ------------------- |
-| \*:8443  | `*.int.nas.example` |
+Services | Certificate
+-------- | -------------------
+*:8443   | `*.int.nas.example`
 
 ![Synology assign wildcard certificate](./img/synology-certifciate-assignment.png)
 
@@ -170,15 +170,15 @@ These are the minimum set of configuration settings to get Pomerium running in t
 
 Go to **Environment** tab.
 
-| Field                    | Value                                                           |
-| ------------------------ | --------------------------------------------------------------- |
-| POLICY                   | output of `base64 -i policy.yaml`                               |
-| INSECURE_SERVER          | `TRUE`, internal routing within docker will not be encrypted.   |
-| IDP_CLIENT_SECRET        | Values from setting up your [identity provider]                 |
-| IDP_CLIENT_ID            | Values from setting up your [identity provider]                 |
-| IDP_PROVIDER             | Values from setting up your [identity provider] (e.g. `google`) |
-| COOKIE_SECRET            | output of `head -c32 /dev/urandom | base64`                     |
-| AUTHENTICATE_SERVICE_URL | `https://authenticate.int.nas.example`                          |
+Field                    | Value
+------------------------ | ---------------------------------------------------------------
+POLICY                   | output of `base64 -i policy.yaml`
+INSECURE_SERVER          | `TRUE`, internal routing within docker will not be encrypted.
+IDP_CLIENT_SECRET        | Values from setting up your [identity provider]
+IDP_CLIENT_ID            | Values from setting up your [identity provider]
+IDP_PROVIDER             | Values from setting up your [identity provider] (e.g. `google`)
+COOKIE_SECRET            | output of `head -c32 /dev/urandom                               | base64`
+AUTHENTICATE_SERVICE_URL | `https://authenticate.int.nas.example`
 
 For a detailed explanation, and additional options, please refer to the [configuration variable docs]. Also note, though not covered in this guide, settings can be made via a mounted configuration file.