Generate letsencrypt certificates

This must run after the ``letsencrypt-install-acme-sh``,
``letsencrypt-request-certs`` and ``letsencrypt-install-txt-records``
roles.  It will run the ``acme.sh`` process to create the certificates
on the host.

**Role Variables**

.. zuul:rolevar:: letsencrypt_self_sign_only
   :default: False

   If set to True, will locally generate self-signed certificates in
   the same locations the real script would, instead of contacting
   letsencrypt.  This is set during gate testing as the
   authentication tokens are not available.

.. zuul:rolevar:: letsencrypt_self_generate_tokens
   :default: False

   When set to ``True``, self-generate fake DNS-01 TXT tokens rather
   than acquiring them through the ACME process with letsencrypt.
   This avoids leaving "half-open" challenges during gate testing,
   where we have no way to publish the DNS TXT records letsencrypt
   gives us to complete the certificate issue.  This should be
   ``True`` if ``letsencrypt_self_sign_only`` is ``True`` (unless you
   wish to specifically test the ``acme.sh`` operation).

.. zuul:rolevar:: letsencrypt_use_staging
   :default: False

   If set to True will use the letsencrypt staging environment, rather
   than make production requests.  Useful during initial provisioning
   of hosts to avoid affecting production quotas.

.. zuul:rolevar:: letsencrypt_certs

   The same variable as described in ``letsencrypt-request-certs``.