Renew certificates when one is known to be OCSP revoked.

[icing]

• refs #328 where @frasertweedale proposed this
• when checking on renewal of an MDomain, inspect known OCSP status for REVOKED answers. If found, renew MD.

[frasertweedale]

I will apply the patch and test locally, and report back.

[frasertweedale]

@icing

I have tested the change. I see one issue: the actual renewal of a revoked cert doesn't take place until the next md watchdog run, which could be up to 12 hours. If practical, the renewal should be attempted immediately. Ideas:

• wake the md watchdog, somehow?
• unify the md watchdog and md ocsp watchdog, so that the ocsp handling can schedule the watchdog to run straight away again.
• some other approach?

Overall, this PR works and is a big step forward. It could be landed as-is. In fact, there is already a delay until the OCSP response gets refreshed. A further delay until actually starting the renewal attempt is not ideal, but not a show-stopper.

[icing]

@frasertweedale thanks for testing! I agree that waiting up to 12 hours for a renewal is not optimal.

The simplest way to shorten that is to make the 12 hours configurable.

Awakening the ACME watchdog on OCSP updates is more complicated. There is no guarantee that the ACME and OCSP watchdogs run in the same process. Execution might switch. As to making ACME and OCSP run in the same watchdog: that is of course possible but I am not sure I like to rip apart the code here.

I am leaning towards allowing admins concerned about revoke renewals to use a shorter interval.

[frasertweedale]

@icing yeah, both of my suggested approaches would be intrusive and awkward changes. Making the maximum watchdog sleep time configurable is a simple(r) change with a good impact.

[icing]

Added MDCheckInterval config directive to this PR, plus documentation.