nivlheim_client certificate request improvements

[oyvindhagberg]

• Perhaps reqcert shouldn't delete the row from waiting_for_approval after a machine has been given a certificate. This in case the machine somehow fails to save the certificate and must ask again.
  Perhaps wait until first report. But those rows should be deleted eventually, or else someone able to use those ip adresses can get a new certificate just by asking.

• The client should verify that it can write to /var/nivlheim/* before it requests a new certificate. Perhaps refuse to run if not root? Later, perhaps it should run as its own user. The package could create a new user during installation.

[oyvindhagberg]

Delayed deletion from waiting_for_approval is handled in handleDNSchanges.go now.