cleanly phase in new TLS session ticket keys

This closes a small window where new workers could give keys not
accepted by the old workers before they're gracefully shut down. This
will also be needed when syncing keys across a cluster.

create-session-ticket-keys

@@ -4,8 +4,8 @@ set -o errexit -o nounset -o pipefail
 
 cd /etc/session-ticket-keys
 
-for i in {1..4}; do
-    head -c 80 </dev/random >$i.key
+for i in next.key {1..4}.key; do
+    head -c 80 </dev/random >$i
 done
 
-cat {1..4}.key > keys
+cat next.key {1..4}.key > keys

rotate-session-ticket-keys

@@ -7,10 +7,11 @@ cd /etc/session-ticket-keys
 rsync -tI 2.key 1.key
 rsync -tI 3.key 2.key
 rsync -tI 4.key 3.key
-head -c 80 </dev/random >new.key
-mv new.key 4.key
+rsync -tI next.key 4.key
+head -c 80 </dev/random >tmp.key
+mv tmp.key next.key
 
-cat {1..4}.key > keys.new
+cat next.key {1..4}.key > keys.new
 mv keys.new keys
 
 status=0