pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()

This fixes a priority inversion when doing initial certificate commits.

• pki subsystem is executed with priority 300
• vti uses priority 381
• ipsec uses priority 901

On commit pki.py will be executed first, detecting a change in dependencies
for vpn_ipsec.py which will be executed second. The VTI interface was yet not
created leading to ConfigError('VTI interface XX for site-to-site peer YY does
not exist!')

The issue is caused by this new line of code in commit b8db1a9d7ba ("pki:
T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py
line 139 which triggers the dependency update even if a key is newly added.

This commit changes the "detection" based on the cerbot configuration on disk.