reverseproxy: rework cert logic

9c8f78a059 already fixed many of the cert issues.

However, some issues were caught in the CI:

* The TLS addon has to be rebuilt and not just restarted. For this reason, we now
  move things to a directory instead of mounting files. This way the container is just restarted.

* Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore,
  the certs are left dangling forever in the db.

* Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want.

src/services.js

@@ -161,8 +161,8 @@ const ADDONS = {
         clear: NOOP,
     },
     tls: {
-        setup: NOOP,
-        teardown: NOOP,
+        setup: setupTls,
+        teardown: teardownTls,
         backup: NOOP,
         restore: NOOP,
         clear: NOOP,
@@ -1813,6 +1813,23 @@ async function restoreRedis(app, options) {
     await pipeFileToRequest(dumpPath('redis', app.id), `http://${result.ip}:3000/restore?access_token=${result.token}`);
 }
 
+async function setupTls(app, options) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+
+    if (!safe.fs.mkdirSync(`${paths.PLATFORM_DATA_DIR}/tls/${app.id}`, { recursive: true })) {
+        debug('Error creating tls directory');
+        throw new BoxError(BoxError.FS_ERROR, safe.error.message);
+    }
+}
+
+async function teardownTls(app, options) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+
+    safe.fs.rmSync(`${paths.PLATFORM_DATA_DIR}/tls/${app.id}`, { recursive: true, force: true });
+}
+
 async function statusTurn() {
     const [error, container] = await safe(docker.inspect('turn'));
     if (error && error.reason === BoxError.NOT_FOUND) return { status: exports.SERVICE_STATUS_STOPPED };