WIP: ACME support

[erikh]

This is still a work in progress; I'm just filing this pull request to get it out in the open that this work is being done, and that we're close to a result.

This implements ACME according to spec, using https://github.com/mholt/acmez as an underlying base. There are some unique challenges that are mostly solved, but not completely yet:

• In a cluster of border nodes, they need to all respond to the same challenge
  • This requires a handshake protocol be used to distribute a single challenge to all of them, and indicate when the challenge is complete so that the certificate can be fetched
• The certificate must be distributed as soon as it is captured. If not, there will be either TLS desync between nodes or some will be able to respond to https requests, and others not.
• The challenge must take place in some scenarios (tls-alpn, http-01) in lieu of the content destined to be served.
• The process must happen without the server going down

Some of these things are already solved in this branch, and others have yet to be finished. Additionally, the notion of truly graceful restarts (border already cleanly restarts itself, but does not carry outstanding TCP sockets when it does, instead choosing to close them for now) is not covered, but needs to be addressed at a near later point. Configuration distribution is a solved issue, but pumping them into the configuration and re-distributing the updated configuration needs to be done, which is solved in this branch. Finally, reconfiguring the service is also done in this branch, so that it can respond to ACME challenges without allowing unprotected or poorly protected traffic through the underlying service.