Feature/acme
easy as pie:
grab latest leap_cli
export ACME_STAGING=1
cd bitmask
leap deploy webapp
leap cert register # only do this once ever
leap cert renew demo.bitmask.net
leap cert renew dev.bitmask.netrun without ACME_STAGING in order to grab actual, real life certificates.
the 'leap deploy' is only needed because there are platform changes needed to get apache configured to work with lets encrypt verification process.
one remaining issue: the way this works currently, the certificate for demo.bitmask.net.crt includes its full CA chain in the same file. this is handy, but is not how we have assumed it works.
right now, we are additionally appending the ca. we need to prevent this from happening in some way, either by including an empty ca cert in the hiera file, or adding some logic in puppet to skip appending the ca to certs if the cert already includes its own chain.