Complete ACME v2 support with DNS-01 challenge (through lego?)

The migration of Let's Encrypt to the ACME v2 protocol version enables users to use a DNS-01 challenge-response verification for retrieving certificates for their domains. Additionally, this also allows for creation of wildcard domains, which are not only useful to GitLab Pages itself, but possibly extends to further use cases (involving different sub-domains accessing an SPA/PWA, artistic interventions like http://xn--ggc.net/, etc.).

The lego project, an Let’s Encrypt client and ACME library written in Go, allows to use and produce such DNS-01 challenges for creating certificates, SAN certificates and also for wildcard domains. This is working pretty well in Traefik v2, where I tested it, and most notably also allows to integrate with self-hosted DNS infrastructure, if it builds on PowerDNS, next to most commercial vendors.

Incidentally, DNS-01 challenges are also less prone to triggering the rate limit of an ACME endpoint, since certificates can be created without direct access to a domain's endpoint. This would also open up possibilities for LAN-only deployments of GitLab pages that are not directly connected to the Internet, but want to make use of encrypted TLS, sufficiently secure GitLab Pages authentication, etc.

~"feature proposal"