A couple days ago, I switched most of my *.p3k.io domains over to individual Let's Encrypt certificates. It was relatively easy for the apps that are running on my main server. However, XRay is actually running on Google App Engine, which means my streamlined workflow for requesting and renewing certificates doesn't apply.
App Engine doesn't have an integration with Let's Encrypt yet, and there is also no API for uploading certificates, so this will require some manual work for now.
The Let's Encrypt client supports a "manual" method of requesting certificates, where it will show you the challenge text and wait for you to put the challenge response onto the server where the client expects to find it. I figured I could use this to request a certificate for my App Engine app.
I had to build a form into XRay that would let me enter the challenge text and save it to be served by App Engine. Of course I couldn't let just anyone use the form, otherwise anyone could request certs for my domain. So I had to build a login mechanism into XRay so that only I can use the form.
Since XRay is deployed from a public GitHub repository, I couldn't put any secrets in the config file, so this sounded like a great use for indieauth.com which lets me sign in without the consuming website needing any secret keys.
So now I can sign in to XRay:
And after I'm signed in, there is a form to save the challenge text from Let's Encrypt.
I wrote up full setup instructions in the XRay project.