Have DAVE also trust Let's Encrypt CA

We’re told that https://tails.b.o will likely switch to Let’s Encrypt certificates around the end of the year, so DAVE needs to trust Let’s Encrypt CA somehow. Ideally, it would trust Let’s Encrypt current intermediate CA, instead of the DST root CA (see #11810 (closed) for details). But if this does not work, then DAVE needs to trust both the root CA currently used by Let’s Encrypt (i.e. the DST one) and Let’s Encrypt own root CA that will be used in the future.

Note the also in the ticket title: DAVE needs to keep trusting the currently used CA until the tails.b.o webserver switches to the new one. What needs to be done is to make it also trust the CA that will be used in the future. I had a quick look at conf.json and at first glance, it looks like such CA transition processes are not supported, which seems surprising to me given it’s a pretty common use case. I hope I’m wrong, and even if I got it right, I hope that it’s easy to add support for this use case :)

To ease development and testing, I’ve setup a descriptor on a web server that already uses Let’s Encrypt: https://labs.riseup.net/test/tails.boum.org/install/v1/Tails/i386/stable/latest.yml. So one should be able to test pinning changes against something that looks very much like our future production setup.

Parent Task: #11809 (closed)

Original created by @intrigeri on 11814 (Redmine)