As described in
https://community.letsencrypt.org/t/production-chain-changes/150739, the
LetsEncrypt DST Root CA X3 expired on September 30, 2021. Domains that
needed to be renewed via PagesDomainSslWorker would fail with the error,
"Certificate misses intermediates".

Newly-issued certificates would come with this chain of trust:

End-entity certificate (A) ← R3 (B) ← ISRG Root X1 (C) ← DST Root CA X3

Previously, this is what was happening:

1. LetsEncrypt returned a bundle containing A, B, and C.
2. `PagesDomain#has_intermediates?` took B and C and added them to the
OpenSSL certificate store.
3. `OpenSSL::X509::Store#verify` returned `false` because C was a
trusted certificate, but DST Root CA X3 had expired.

The crux of the problem is that we aren't using `verify` properly: we
should be passing in an untrusted chain and allow OpenSSL to verify that
C is indeed trusted from the system store. This emulates the behavior of
the `-untrusted` parameter in the `openssl` command-line:

```
All certificates (typically of intermediate CAs) are considered
untrusted and may be used to construct a certificate chain from the
target certificate to a trust anchor.
```

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/342326

Changelog: fixed