cleanly phase in new TLS session ticket keys

This closes a small window where new workers could give keys not
accepted by the old workers before they're gracefully shut down. This
will also be needed when syncing keys across a cluster.

create-session-ticket-keys

@@ -4,8 +4,8 @@ set -o errexit -o nounset -o pipefail
 
 cd /etc/session-ticket-keys
 
-for i in {1..4}; do
-    head -c 80 </dev/random >$i.key
+for i in next.key {1..4}.key; do
+    head -c 80 </dev/random >$i
 done
 
-cat {1..4}.key > keys
+cat next.key {1..4}.key > keys