Put all SSL cert stuff in The Right Folder™

[taoeffect]

So, related to al3x/sovereign#251, and related to my comment here (which i'll quote here):

For a future PR, let's move the keys to one folder (both the .key and the .crt), and let's put it in a place that's recommended by dovecot, which I believe @al3x also created an issue for in sovereign.

Also worth doing, as part of this issue or a separate one, moving roles/common/files/wildcard_private.key (the user's key) to a top level folder called secrets instead of buried within the roles.

So this is a two parter:

1. Place .key and .crt into "the right place" on the server, and make that place a single folder so that it's easy to re-generate keys by simply deleting it.
2. Create a secrets folder in this repo at the top level and tell users to put their private key. It's best to not distribute a "default key" the way sovereign is currently doing, as that is ... how you say... something that people should be sued over (default passwords = negligence).

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/6447827-put-all-ssl-cert-stuff-in-the-right-folder?utm_campaign=plugin&utm_content=tracker%2F8064840&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F8064840&utm_medium=issues&utm_source=github).

[taoeffect]

Actually, @PiPeep reminds me that PR #35 gets rid of the default private key, so we're good on not being negligent, but we still need to fetch the user's key from a top-level secrets folder.

[taoeffect]

Copied from 46:

Note that these files shouldn't remain on the server:

• /etc/ssl/certs/wildcard_public_cert.crt
• /etc/ssl/certs/wildcard_ca.pem
• /etc/ssl/private/wildcard.csr
• /etc/ssl/private/openssl.cnf