bin/make-cert, bin/fix-cert-chain: Hack certificate chains for compatiblity.

bin/make-cert, bin/fix-cert-chain: Hack certificate chains for compatiblity.

Oh, this is a mess.

https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816

Old versions of Android don't recognize the new Let's Encrypt issuer.
So LE deployed a kludge: their certificate chains include a reference to
their old issuer, which /is/ recognized by old Android versions.  But
there's a problem: this issuer /expired/ yesterday, and old versions of
OpenSSL and GnuTLS reject certificate bundles involving expired issuers,
even if (a) the expired certificate is in the cert store, not provided
by the server, and (b) there's a perfectly fine trust path which doesn't
involve the duff certificate.

Introduce a new script `fix-cert-chain' to generally tidy up certificate
chains by (a) deleting duplicate certificates and (b) removing
certificates from `bad' issuers.