Depending on the environment, various exceptions can be risen, so be tolerant
regarding the exception type.

On python 3.5, for each request where SSL authentication fail, even
though application seem functional, a traceback is logged in the log
file.
This makes tests asserting the last log line fail because the last line
is not the access log line, it's the last line of the traceback.

On python >= 3.6, such tracebacks are not logged, so we don't try to fix
this issue but just workaround this for python 3.5. We'll drop this
patch once we stop supporting python 3.5

it seems not enough on out test infrastructure sometimes

pylint understands this and does not report errors about accessing
undefined members.

http://pylint.pycqa.org/en/stable/faq.html#how-do-i-avoid-access-to-undefined-member-messages-in-my-mixin-classes

/reviewed-on nexedi/kedifa!5

It can fail too fast, without giving caucase any chance to start really.

It's better to reply 400 Bad Request on malformed requests and do not pollute
log with exceptions.

Also improve message in case of failure.

/reviewed-on !4

As updater is used in environment, which requires it to have certificates
available as fast as possible, add a prepare step and allow to launch it with
--prepare-only switch.

Thanks to this it is possible to run it with configuration file to provide
fallback or master certificates for all slaves without connecting to the
network, thus resulting in fast preparation.

/reviewed-on nexedi/kedifa!3

Also cover loop method.

It will make further testing much easier

If at least once certificate has been downloaded from KeDiFa it shall never
use again the fall-back, as otherwise it would result with a problem, that
next unsuccessful download from KeDiFa would result replacement with
fall-back.

In order to do so state file is introduced keeping list of overridden
certificates. As now there is critical path regarding fetching certificates,
the lock is created to avoid concurrent updates.

Fix one condition.

In order for further development and features create mixin.

Features:

 * by default runs with 60s sleep
 * allows to have master, updateable, certificate, which is used in case if
   specific certificate is not available

Having PRIMARY KEY on certificate.id is to strict -- as real uniques is
required on id + reference in certificate table.

capturer does not work in some of tests environment.