For the case of SIGNERNOTCA, INSECUREALG, or a newer unhandled value,
the "(a)ccept always" prompt was allowed, but the cert saving was
prevented by a check only against NOTTRUSTED.  This ended up giving a
strange error message saying the cert was not saved.

Fix to save the cert for all errors except HOSTNAME (which is handled
separately).