expected behaviour on certificate updates

[Geal]

I've seen some inconsistencies when updating certificates, so I want to clarify how certificate updates should work. Here are a few principles that should always apply:

• if two certificates match the same name, choose the one that expires the last
• if two certificates match a name, one of them with a wildcard, choose the most specific one
• when removing a certificate, keep it around if some frontends still match it. It will be truly removed once the frontend is removed, or when a new matching certificate is added
• the order in which we add or remove certificates should not influence the behaviour in the end

what do we do with EV certificates? could we configure priority levels for some certificates?

Now let's add some examples:

• add front www.example.com

• add cert1 www.example.com

• add cert2 *.example.com -> cert 1 is used for www.example.com

• add front www.example.com

• add cert2 *.example.com

• add cert1 www.example.com -> cert 1 is used for www.example.com

replacing an old cert with a new one:

• add cert1 example.com expires 2021/06/30
• add front example.com -> cert1 is used for example.com
• remove cert1 -> cert1 still used for example.com
• add cert2 example.com expires 2022/06/30 -> cert1 now used for example.com

replacing a certificate with a new one with different names:

• add cert1 example.com, truc.fr
• add front example.com
• add front truc.fr -> cert1 is used for example.com, truc.fr
• remove cert1 -> cert1 still used for example.com, truc.fr
• add cert2 example.com, bidule.fr -> cert1 still used for truc.fr -> cert2 is used for example.com

[Geal]

cc @urcadox

[urcadox]

LGTM :)