In T234037: Toolforge ingress: decide on final layout of north-south proxy setup we decided that the way to go is to use dynamicproxy as front proxy for Toolforge. Thus, this proxy will need to handle SSL termination for both tools.wmflabs.org (currently using a wildcard cert) and for toolforge.org (also using a wildcard cert).
Ideally, we would start using acme-chief to generate these certs. This task is to clarify how this would be done and to perform the required steps.