No obvious way to deal with multiple certificates from autocert

autocert can easily be configured to drop certificates into `/var/lib/haproxy/`, but configuring the haproxy charm to use them is awkward. If you only have one certificate then it's easy enough: symlink to `/var/lib/haproxy/default.pem` and set `crts: [DEFAULT]`. But I have a service with multiple public host names (merges.ubuntu.com and patches.ubuntu.com) and there's no obvious way to get the haproxy charm to use a different certificate from autocert for each frontend, as it only allows for either reading from `/var/lib/haproxy/default.pem` or from base64-encoded certificates in the Juju config:

    if service_crts:
        # Enable SSL termination for this frontend, using the given
        # certificates.
        bind_stanza += " ssl"
        for i, crt in enumerate(service_crts):
            if crt == "DEFAULT":
                path = os.path.join(default_haproxy_lib_dir, "default.pem")
            else:
                path = os.path.join(default_haproxy_lib_dir,
                                    "service_%s" % service_name, "%d.pem" % i)
            # SSLv3 is always off, since it's vulnerable to POODLE attacks
            bind_stanza += " crt %s no-sslv3" % path

It would be helpful if I could do something like `crts: ["EXTERNAL:merges.ubuntu.com.pem"]` (or `crts: ["EXTERNAL:/var/lib/haproxy/merges.ubuntu.com.pem"]` if you prefer). I think this needs a prefix because otherwise there'd be ambiguity about whether the path is actually base64-encoded text, but otherwise it seems simple enough.

In the absence of this, I guess the workaround is to arrange to get a single certificate with a Subject Alternate Name.