Currently, certbot was deployed:
- as a system package on webserver-core
- as a Docker container and wrapper, with DNS hook on paas-docker
- not at all elsewhere
This change merges the different units as a part of the roles/core/certificates
unit to have a consistent installation through all machines, Docker included.
Don't try to issue certificate, as to use DNS registration, we currently
need a manual intervention to add a CNAME DNS records for the _acme_challenge.
verification subdomain.
Certificates are renewed with a daily script running certbot renew, installed
through periodic on FreeBSD or as a systemd timer on Linux with systemd nodes.
Ref T1505.