Some SSL CA's missing from runtime
Context
Downstream issue https://github.com/flathub/com.valvesoftware.Steam/issues/274 Looks like the cert chain shipped is incomplete and is missing things like GlobalSign_Root_CA (5ad8a5d6.0). These CA's show up as broken links under /etc/ssl/certs/
Description
Investigate why we're missing CA's and whether we could ship them.
Acceptance Criteria
Nothing existing breaks. There are tests that ensure the SSL setup won't break.