tlsmanager: implement hot swap of ephemeral cert with wallet unlocker when encrypted TLS keys are used

[Roasbeef]

This is a follow up issue tracking a more fundamental fix for: #8437

Rather than modify the REST proxy unconditionally, we can instead have it process a message from the WalletUnlocker that the permanent TLS cert is now available. This would require a tear down and re-creation of the REST proxy to have it use the new fresh TLS cert (that won't expire in 24 hrs).