Remove fallback certificate and document corresponding HAProxy config

It's no longer necessary to install a fallback certificate for HAProxy to start. HAProxy can be put into a mode where it is strict about for which domains to enable TLS or not. We should use that and document how to use it, then remove the fallback certificate.