certbot: Use ECDSA (P-256) certificates, not RSA

certbot switched to ECDSA by default about two years ago, following recommended practices.

We are currently using RSA with 4096 bits, which is extremely slow to sign. Using ECDSA should give us a nice speedup.