[9front] wildcard in auth/acmed

["Dave MacFarlane" <driusan@driusan.net>]

I was trying to use a Let's Encrypt certificate to host a subdomain,
and the only way I could figure out how to do that was a wildcard certificate
because !/bin/service/tcp443 takes the certificate as an argument before
rc-httpd knows what domain it's for.

A wildcard certificate for *.example.com doesn't cover example.com
with no prefix, so I had to add it as a subject alternative name, but Let's Encrypt
seems to ignore the -t dns and send an http-01 challenge for the non-wildcard
portion and a dns-01 challenge for the wildcard.

I added a "hybrid" type to auth/acmed which determines whether to use dnschallenge
or httpchallenge based on the challenge, but isn't compatible with -o since dnschallenge
and httpchallenge need different formats.

With this, I was able to register a certificate request I created by: 

auth/rsa2csr 'CN=*.example.com,example.com' $certkey>$csr 
auth/acmed -t hybrid $username $acmeuser $csr >$crt

diff 9c2e8e2b13b0d01b7adf88b61af6edfbddd872c1 uncommitted
--- a/sys/src/cmd/auth/acmed.c
+++ b/sys/src/cmd/auth/acmed.c
@@ -633,6 +633,18 @@
 }
 
 static int
+hybridchallenge(char *ty, char *dom, char *tok, int *matched)
+{
+	if (strcmp(ty, "http-01") == 0){
+		challengeout = "/usr/web/.well-known/acme-challenge";
+		return httpchallenge(ty, dom, tok, matched);
+	} else if (strcmp(ty, "dns-01") == 0){
+		challengeout = "/lib/ndb/dnschallenge";
+		return dnschallenge(ty, dom, tok, matched);
+	}
+	return -1;
+}
+static int
 dochallenges(char *dom[], int ndom, JSON *order)
 {
 	JSON *chals, *j, *cl, *id, *wc;
@@ -910,7 +922,13 @@
 	}else if(strcmp(ct, "dns") == 0){
 		challengeout = (co != nil) ? co : "/lib/ndb/dnschallenge";
 		challengefn = dnschallenge;
-	}else {
+	}else if (strcmp(ct, "hybrid") == 0){
+		if (co != nil) {
+			sysfatal("-o not compatible with hybrid challenge");
+		}
+		challengefn = hybridchallenge;
+
+	} else {
 		sysfatal("unknown challenge type '%s'", ct);
 	}