feat(dashmate): add Let's Encrypt SSL provider support

[ktechmidas]

Summary

• Add Let's Encrypt as a new SSL certificate provider, integrating dashmate PRs #3000 and #3018
• Create bin/convert-to-letsencrypt migration script for converting existing HP masternodes
• Change default SSL provider from self-signed to letsencrypt with infrastructure@dash.org as default email
• Dashmate handles certificate renewal automatically via built-in cron scheduler — no deploy-side renewal management needed

Changes

File	Change
bin/convert-to-letsencrypt	New SSH-based migration script for existing nodes
ansible/roles/dashmate/defaults/main.yml	Default provider → letsencrypt, add email variable
ansible/roles/dashmate/templates/dashmate.json.j2	Add letsencrypt to providerConfigs
ansible/roles/dashmate/tasks/ssl/letsencrypt.yml	New Ansible tasks for Let's Encrypt cert obtention
ansible/roles/dashmate/tasks/main.yml	Add letsencrypt block in Phase 6, guard ZeroSSL lookups

Migration (existing nodes)

# Convert all HP masternodes
./bin/convert-to-letsencrypt -n testnet

# Single node
./bin/convert-to-letsencrypt -n testnet -s hp-masternode-1

# Dry run
./bin/convert-to-letsencrypt -n testnet --dry-run

Test plan

• Run ./bin/convert-to-letsencrypt -n testnet --dry-run to verify script parses inventory correctly
• Convert a single node: ./bin/convert-to-letsencrypt -n testnet -s hp-masternode-1
• Verify cert is issued: SSH in and check dashmate config get platform.gateway.ssl.provider returns letsencrypt
• Full deploy test: ./bin/deploy -p --tags=dashmate_deploy testnet and verify letsencrypt config in dashmate.json

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Let's Encrypt SSL certificate support now available for gateway configuration with configurable email settings.
  • New automated migration utility simplifies conversion of masternodes from ZeroSSL or self-signed certificates to Let's Encrypt, featuring network targeting, SSH configuration options, and dry-run mode for safe testing.

• Chores

  • Updated default SSL provider configuration and system templates.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 830db82 and 33628a8.

📒 Files selected for processing (5)

• ansible/roles/dashmate/defaults/main.yml
• ansible/roles/dashmate/tasks/main.yml
• ansible/roles/dashmate/tasks/ssl/letsencrypt.yml
• ansible/roles/dashmate/templates/dashmate.json.j2
• bin/convert-to-letsencrypt

---

📝 Walkthrough

Walkthrough

This change introduces Let's Encrypt SSL support to the Ansible dashmate role. Configuration defaults shift from self-signed to Let's Encrypt certificates, a new Ansible task file handles certificate provisioning, and a CLI utility automates migration from ZeroSSL/self-signed to Let's Encrypt for HP masternodes.

Changes

Cohort / File(s)	Summary
SSL Provider Configuration ansible/roles/dashmate/defaults/main.yml, ansible/roles/dashmate/templates/dashmate.json.j2	Changed default SSL provider from self-signed to letsencrypt; added letsencrypt email configuration parameter (infrastructure@dash.org) in both defaults and rendered configuration template.
Ansible Tasks ansible/roles/dashmate/tasks/main.yml, ansible/roles/dashmate/tasks/ssl/letsencrypt.yml	Added conditional gating for Zerossl provider logic; introduced new Let's Encrypt task file that creates SSL directories, executes certificate provisioning via dashmate CLI, and registers outcomes.
Migration Utility bin/convert-to-letsencrypt	New bash script with CLI argument parsing (-n network, -e email, -k SSH key, -s server, --dry-run) that automates remote conversion of HP masternodes to Let's Encrypt via SSH execution, supporting dry-run simulation and per-host result aggregation.

Sequence Diagram(s)

sequenceDiagram
    participant Ansible as Ansible Playbook
    participant Dashmate as Dashmate CLI
    participant LE as Let's Encrypt
    participant Storage as SSL Storage

    Ansible->>Dashmate: Set SSL provider to letsencrypt
    Ansible->>Dashmate: Set letsencrypt email config
    Ansible->>Dashmate: Render configuration
    Dashmate->>LE: Request certificate (ACME protocol)
    LE->>LE: Validate domain ownership
    LE-->>Dashmate: Issue certificate
    Dashmate->>Storage: Store certificate & private key
    Storage-->>Dashmate: Confirmed
    Dashmate-->>Ansible: Success (rc == 0)

Loading

sequenceDiagram
    participant Script as convert-to-letsencrypt
    participant Inventory as Inventory Parser
    participant SSH as SSH Session
    participant Remote as Remote Dashmate
    participant LE as Let's Encrypt
    participant Service as Platform Service

    Script->>Inventory: Parse targets from network inventory
    Inventory-->>Script: List of hp-masternode hosts
    loop For each matched host
        Script->>SSH: Establish SSH connection
        SSH->>Remote: Execute remote conversion routine
        Remote->>Remote: Set SSL provider=letsencrypt
        Remote->>Remote: Update email configuration
        Remote->>Remote: Render dashmate config
        Remote->>LE: Obtain certificate
        LE-->>Remote: Certificate issued
        Remote->>Service: Restart platform services
        Service-->>Remote: Services running
        Remote-->>SSH: Return exit status & logs
        SSH-->>Script: Capture per-host result
    end
    Script->>Script: Aggregate results and report summary

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 Hopping through certs with righteous delight,
From self-signed shadows to Let's Encrypt's light,
We configure, provision, and automate the way,
With dashmate and Ansible—hop, hop, hooray! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding Let's Encrypt SSL provider support to dashmate, which is the primary objective of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/letsencrypt-ssl-support

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vivekgsharma]

LGTM