Make getting an SSL certificate a step in the set up process for a data node

[campbellssource]

Feature Overview

What: When installing a data node you should be prompted to set up an SSL Certificate. Better still this is automated using something like Let's Encrypt so that SSL Certificates are issued with little extra effort.
Why: GraphQL subscriptions require an SSL certificate to work. Without subscriptions clients will have to poll to receive new data(refactoring Console to do this will take signfiicant effort and negatively effect its performance), or the user will have to refresh the page to see new data 🤢.
Having an SSL certificate is an essential part of running a data node, if you don't have ssl the node probably isn't providing much value.

As someone who is setting up a data node
I want to ensure I set up an SSL certificate
So that the node I run can be used for graphQL subscriptions (as well as enhanced security)

Specs

No spec to link to although...
vegaprotocol/specs#763 and
vegaprotocol/specs#684
are relevant.

Tasks

• Build process for prompting data node runners to set up a data node
• Test the experience to see if it works in getting a data node set up with SSL

Product Owner

Suggest: @fkondej due to its devops like topic

Acceptance Criteria

• A prompt exists to set up SSL when installing a data node
• When running a data node the operator is nagged when SSL isn't pressent
• Code exists in data node that make the process of setting up SSL as stream lined as possible

Test Scenarios

GIVEN a data node is in the process of being set up 
WHEN I come to finalise set up
THEN there is a prompt / action to set up ssl

GIVEN I am running a data node without SSL 
WHEN I check logs, or status of node
THEN there is a prompt / action to set up ssl

Impacted Systems / Engines

I don't know

API Calls

none required

Dependencies

No dependencies at time of writing

[gordsport]

Closing as wont do. I have raised a comment in the protocol-design ticket to take this into consideration when creating the incentivised data-node spec: vegaprotocol/specs#685 (comment)

[barnabee]

We have just discussed this on a call re: Console for mainnet and we need to ensure HTTPS is running on data nodes before incentivised data node. It is a requirement for Console for mainnet trading.

We should discuss this further before agreeing it is a #wontfix. The MVP / implementation of this we have in mind would be that the default config looks something like this:

[SSL]
# Set your data node domain name and email address below to enable auto https
# data_node_root_domain = datanode.mynode.com
# ssl_certificate_email = me@mynode.com

And the data node uses something like autocert to acquire an SSL certificate and enable HTTPS if you provided everything needed in the config. (We could also provide a log message on startup if you haven't done so, explaining that some features (GraphQL) won't work unless you enable it or run an HTTPS reverse proxy like Caddy.)

The alternative would be to try and ensure validators are using something lijke Caddy but we might end up with a low and variable hit rate and a large support job.