Enable Client Retrying
see:
I've tested this (so far) by triggering 502's on gracedb-dev1 (by forcibly restarting gunicorn), and also triggering ConnectionErrors on gracedb-dev1 by logging in as root and restarting apache. Without the Retry, the code dies. With the Retry, it fully recovers.
It does look like there is another TLS renegotiation when the code reconnects, but I don't see another way around that.
Next step is to get it working with the certificate reloading, and then it should be good to go.