feat(ssl): add inter-site jitter and clear rate-limit messaging to ssl-renew

[mrrobot47]

Problem

ssl-renew --all fires per-site ACME operations back-to-back with no spacing, and on a Let's Encrypt rate limit authorize() shows a misleading "you're in a local environment or using a non-public domain" message instead of saying it's a rate limit.

Fix

• Inter-site jitter: a short sleep( random_int( 1, 5 ) ) between per-site dispatches in the --all loop (none before the first or after the last; skipped sites don't count), to avoid bursting against Let's Encrypt's new-order/burst limits.
• Clear rate-limit messaging: a helper detects the rate-limit case — authoritatively via RateLimitedServerException, plus ratelimited/too many message fallbacks — and, in authorize() and both executeRenewal() catches, emits a specific "Let's Encrypt rate limit reached, wait before retrying" message (with the rate-limits docs link) instead of the misleading default.

ssl-renew --all already fails soft per site (a rate-limited site returns false and the batch continues); this makes the spacing gentler and the failure legible.

Out of scope (follow-ups)

A fully failure-resilient --all with automatic backoff-and-retry, and removing the dead if ( $all ) branch in ssl_renew(), are larger changes left for later.

Note for merge

This edits executeRenewal()'s catch blocks, which #486 also edits — whichever merges second will need a small rebase to reconcile.

Testing

Manual: ssl-renew --all across several sites spaces requests by 1–5s; a rate-limited renewal reports a clear rate-limit message + docs link rather than the "local environment" warning.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.