Have our website CA bundle trust Let's Encrypt CA

We’re told that https://tails.b.o will likely switch to Let’s Encrypt certificates around the end of the year, so config/chroot_local-hooks/58-create-tails-website-CA-bundle needs to add Let’s Encrypt CA. We probably need to add Let’s Encrypt intermediate CA (currently signed by IdenTrust’s root CA): if we instead added IdenTrust’s root CA, then things might start breaking once Let’s Encrypt starts delivering certificates signed by its intermediate CA, itself signed by their own root CA (technically there will still be a trust path but the files set up by Let’s Encrypt client on the web server may not advertise it so our clients won’t know about it). See https://letsencrypt.org/2016/08/05/le-root-to-be-trusted-by-mozilla.html.

Feature Branch: feature/11810-lets-encrypt, perl5lib:feature/11810-lets-encrypt

Parent Task: #11809 (closed)

Related issues

Blocks #11812 (closed)

Original created by @intrigeri on 11810 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information