Reference value is pre-timeshift, so it will immediately differ but for the
wrong reason.

sqlite does not allow controlling creation mode, so create the file
ourselves so it gets created when missing.

Rather than starting to listen on http before https.
This makes tests more reliable, as they will no actually wait for caucased
to be fully ready, in turn making shutdown more reliable.

It is not expiration which is disabled, but pruning from database.

For consistency with other places in caucase.

No certificate is needed to be an anonymous client, only up-to-date CA and
CRL are needed to validate service certificate.

Also, document why CA certificate expiration is not tracked explicitly.

Contains a few handy commands to run before sending patches.

Otherwise, this port will fail https handshake if clients connects too
early.

netloc is the public access point to a caucase instance.
bind is the private access point to a caucase instance, which may be
different (ex: NAT). Allow overriding netloc address with --bind.
As a consequence, add support for multiple binds: a netloc may resolve to
multiple addresses (ex: one IPv4, one global IPv6 and one Unique Local
Address).
As a further consequence, systematically disable automatic IPv4 binding
when binding to an IPv6 address.
Also, allow overriding netloc port with --base-port. The same port pair
will be used on all bound hosts.
Share SSL context between multiple https sockets.
To increase binding visibility, print bindings, and print when exiting.

pyca/cryptography 21st release is out and caucase already requires
is_signature_valid.
Also, literal IPv6 CRL distribution points do not fail anymore - add test.
No more known 1.0 blockers ! Weee !

Also, remove irrelevant key usage extension, as during certificate renewal
the extensions of the existing certificate are used, not the ones of the
certificate signing request.

Found by shellcheck.

Do not rely on test's -a & -o.
Escape backslashes which are intended as literals.
Avoid one useless "cat".
Avoid testing $?.
Simplify "is integer ?" test.
Quote a few variable expansions.
Arithmetic expression does not need explicit expansion.
Split declaration and assignment to unmask status.
Disable shellcheck warning about "local" being undefined in POSIX.

Also, drop redundant HTTP version fallback: this is already handled in
BaseHTTPRequestHandler.

Export is already provided by the regular protocol.

CRL object comparison does not check the list of revoked certificates.
Instead, compare signatures as they are supposed to be all-inclusive.

Thanks, pylint.

Too many issues with processes not willing to shutdown.
Instead, spawn threads, use an event to stop caucased while sleeping,
and make it stop its http[s] servers more gracefully.

Increases realiability of tests, especially when checking coverage.

For offline database administration: restoring backups, importing and
exporting CA key pairs.

For easier use when renewing a single certificate after restoring
backups, for example.

Also, makes them not count against the maximum number of auto-emitted
certificates.