ApacheSSLContext should use ssl_ca when set

A change to the openstack_https_frontend was merged [0] which points SSLCertificateChainFile at the certificate file rather than what is set in ssl_ca. While this works in some cases it is misleading as ssl_ca is required for intra-deployment communication.

Even commercially signed certificates often have an intermediate signing certificate that must be configured to enable certificate validation. Concatenating the whole certificate chain including a CA certificate, an intermediate signing certificate, and the server certificate works for Apache.

However, in the OpenStack Charms the ssl_ca setting is used for more than just the Apache configuration. The ssl_ca gets installed on the unit as a Certificate Authority enabling intra-deployment communication. For example, allowing the cinder unit to communicate with keystone via https without certificate validation errors.

This is particularly important for self-signed (non-commercial) certificate authorities in an organization. The CA and any intermediate signing certificates must get installed as certificate authorities to allow intra-deployment communication. Even with commercially signed certificate authorities, an intermediate certificate may be required to be installed. That is the purpose of the ssl_ca configuration parameter.

This bug is to add intelligence to the ApacheSSLContext and the openstack_https_frontend that does the following:

Check if ssl_ca is set:
* Use ssl_ca as the SSLCertificateChainFile if it is set.
* If not set, set SSLCertificateChainFile to the certificate file (as it does now) and possibly log a warning.

This bug is also for updating any documentation that requires clarification on the above. Particularly making clear the requirement to set ssl_ca for intra-deployment communication.

[0] https://github.com/juju/charm-helpers/commit/8229249ac4a0bbb54f343766f9f65ee448f3d720