Fix auto-renew of LetsEncrypt domains for Pages

What does this MR do and why?

As described in https://community.letsencrypt.org/t/production-chain-changes/150739, the LetsEncrypt DST Root CA X3 expired on September 30, 2021. Domains that needed to be renewed via PagesDomainSslWorker would fail with the error, "Certificate misses intermediates".

Newly-issued certificates would come with this chain of trust:

End-entity certificate (A) ← R3 (B) ← ISRG Root X1 (C) ← DST Root CA X3

Previously, this is what was happening:

1. LetsEncrypt returned a bundle containing A, B, and C.
2. PagesDomain#has_intermediates? took B and C and added them to the OpenSSL certificate store.
3. OpenSSL::X509::Store#verify returned false because C was a trusted certificate, but DST Root CA X3 had expired.

The crux of the problem is that we aren't using verify properly: we should be passing in an untrusted chain and allow OpenSSL to verify that C is indeed trusted from the system store. This emulates the behavior of the -untrusted parameter in the openssl command-line (https://www.openssl.org/docs/manmaster/man1/openssl-verification-options.html):

All certificates (typically of intermediate CAs) are considered
untrusted and may be used to construct a certificate chain from the
target certificate to a trust anchor.

Relates to #342326 (closed)

Screenshots or screen recordings

See !71697 (comment 694444107).

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.