Phase in key rollover

[Zash]

Hi and thanks a lot for dehydrated!

I'm looking into enabling private key renewal for my email and XMPP, where I have DANE TLSA records deployed. Since these must be published to DNS before the new private key is used, I would also like use the rollover feature.

Based on my reading of

dehydrated/dehydrated

Lines 1458 to 1472 in e3ef43c

	# move rolloverkey into position (if any)
	if [[ -r "${certdir}/privkey.pem" && -r "${certdir}/privkey.roll.pem" && "${PRIVATE_KEY_RENEW}" = "yes" && "${PRIVATE_KEY_ROLLOVER}" = "yes" ]]; then
	echo " + Moving Rolloverkey into position.... "
	mv "${certdir}/privkey.roll.pem" "${certdir}/privkey-tmp.pem"
	mv "${certdir}/privkey-${timestamp}.pem" "${certdir}/privkey.roll.pem"
	mv "${certdir}/privkey-tmp.pem" "${certdir}/privkey-${timestamp}.pem"
	fi
	# generate a new private rollover key if we need or want one
	if [[ ! -r "${certdir}/privkey.roll.pem" && "${PRIVATE_KEY_ROLLOVER}" = "yes" && "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
	echo " + Generating private rollover key..."
	case "${KEY_ALGO}" in
	rsa) _openssl genrsa -out "${certdir}/privkey.roll.pem" "${KEYSIZE}";;
	prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${certdir}/privkey.roll.pem" -noout;;
	esac
	fi

if you go from PRIVATE_KEY_ROLLOVER="no" and PRIVATE_KEY_RENEW="no" to both yes, dehydrated will not use the old key one last time, but throw it away, generate both a new key for immediate use and a rollover key.

It would be more convenient if, when rollover+renew is enabled and there is no rollover key, generate only the rollover key and keep using the old key until next renewal.

Possible workarounds include preemptively generating new rollover keys or delaying deployment of new keys and certificates until after new TLSA records have been published to DNS (and some time for caches to expire).