certbot: Move verification webroot under /var/lib/zulip .

If we were making an old-fashioned webroot where hand-written static
HTML files went, somewhere under `/srv` would be most appropriate.
Here, this webroot is really more of an implementation detail of the
certbot set up by the Zulip installer/packaging, containing transient
state.  So someplace under `/var` is appropriate, and specifically
under `/var/lib/zulip` in order to properly namespace it.

For background on `/var/www` and friends, see the top couple of answers
on
  https://unix.stackexchange.com/questions/47436/why-web-server-var-www

puppet/zulip/files/cron.d/certbot-renew

@@ -3,4 +3,4 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 USER=root
 
 # Cron job to renew certbot twice a day.
-52 0,12 * * * root /usr/local/sbin/certbot-auto renew --webroot --webroot-path=/var/www/certbot/ --quiet
+52 0,12 * * * root /usr/local/sbin/certbot-auto renew --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ --quiet

puppet/zulip/files/nginx/zulip-include-common/certbot

@@ -1,4 +1,4 @@
 # Directory needed for certbot --webroot to work.
 location /.well-known/acme-challenge/ {
-    alias /var/www/certbot/.well-known/acme-challenge/;
+    alias /var/lib/zulip/certbot-webroot/.well-known/acme-challenge/;
 }

puppet/zulip/manifests/nginx.pp

@@ -46,12 +46,11 @@ class zulip::nginx {
     mode       => 650
   }
 
-  # Directory for use by the certbot webroot plugin
-  file {['/var/www', '/var/www/certbot']:
+  file { ["/var/lib/zulip", "/var/lib/zulip/certbot-webroot"]:
     ensure     => "directory",
-    owner      => "root",
-    group      => "root",
-    mode       => 640,
+    owner      => "zulip",
+    group      => "adm",
+    mode       => 660,
   }
 
   service { 'nginx':