DST Root CA X3 expiration

[voltone]

When the DST Root CA X3 certificate expires on September 30 2021, certificate verification will fail for servers presenting Let's Encrypt's default 'long' chain on some Erlang/OTP versions.

Erlang/OTP versions prior to 23.3 are not affected: as long as the (now expired) DST Root CA X3 certificate is still present in the CA trust store, it will be trusted despite the expiry; once the certificate is removed, Mint's partial chain hook will make the cross-signed version of the ISRG root CA as trusted because it has the same public key as the ISRG root CA in the trust store.

Erlang/OTP versions 23.3.4.5 and later, as well as 24.0.4 and later are not effected as they include OTP-17475, which enables handling of alternate paths (actually making Mint's partial chain hook redundant).

On Erlang/OTP 23.3 till 23.3.4.4 and 24.0 till 24.0.3, Mint will fail to establish a connection to the server with Let's Encrypt's 'long' chain when the DST Root CA X3 certificate is still present in the trust store.

I previously thought the only solution was to remove the expired CA certificate from the trust store. But it turns out it is possible to work around this in the partial chain hook: if the certificate at the start of the chain has expired, the function should just drop it and recurse on the shorter chain. The next invocation will succeed because the cross-signed version of the ISRG root CA has the same public key as the ISRG root CA certificate in the trust store, and is therefore trusted.

[voltone]

I will try to create a PR, but unfortunately I can't promise anything at this time...