albs role: letsencrypt issues
- well-known path must include acme-challenge, to avoid conflict with other well-knowns such as matrix protocol
- default certificate must also be owned by user 99
- it must be possible to allow some services to manage their own lets-ecrypt, in some cases they do, like axigen for example
- should not copy the certificate if issuing or renovation failed, a 0 bytes file is created and breaks the reverse proxy
- certs should be backed up, that makes easier migrations