caddypki: Add SignWithRoot option for ACME server

See https://caddy.community/t/setting-up-a-caddy-pki-based-on-a-windows-
root-ca-was-getting-pki-config/11616/7

Also improved a godoc comment in the caddytls package.

modules/caddypki/acmeserver/acmeserver.go

@@ -66,6 +66,13 @@ type Handler struct {
 	// on this property long-term; check release notes.
 	PathPrefix string `json:"path_prefix,omitempty"`
 
+	// If true, the CA's root will be the issuer instead of
+	// the intermediate. This is NOT recommended and should
+	// only be used when devices/clients do not properly
+	// validate certificate chains. EXPERIMENTAL: Might be
+	// changed or removed in the future.
+	SignWithRoot bool `json:"sign_with_root,omitempty"`
+
 	acmeEndpoints http.Handler
 	logger        *zap.Logger
 }
@@ -109,6 +116,7 @@ func (ash *Handler) Provision(ctx caddy.Context) error {
 	}
 
 	authorityConfig := caddypki.AuthorityConfig{
+		SignWithRoot: ash.SignWithRoot,
 		AuthConfig: &authority.AuthConfig{
 			Provisioners: provisioner.List{
 				&provisioner.ACME{

modules/caddytls/tls.go

@@ -478,11 +478,14 @@ type Certificate struct {
 	Tags []string
 }
 
-// AutomateLoader is a no-op certificate loader module
-// that is treated as a special case: it uses this app's
-// automation features to load certificates for the
-// list of hostnames, rather than loading certificates
-// manually.
+// AutomateLoader will automatically manage certificates for the names
+// in the list, including obtaining and renewing certificates. Automated
+// certificates are managed according to their matching automation policy,
+// configured elsewhere in this app.
+//
+// This is a no-op certificate loader module that is treated as a special
+// case: it uses this app's automation features to load certificates for the
+// list of hostnames, rather than loading certificates manually.
 type AutomateLoader []string
 
 // CaddyModule returns the Caddy module information.