bug#51038: 27.2; ELPA certificate not trusted on Windows

[Michael Hoffman]

emacs.exe -Q --eval '(package-list-packages)' produces a *Network
Security Manager* buffer:

```
Certificate information
  Issued by:          R3
  Issued to:          CN=elpa.gnu.org
  Hostname:           elpa.gnu.org
  Public key:         RSA, signature: RSA-SHA256
  Session:            TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
  Security level:     Medium
  Valid:              From 2021-09-28 to 2021-12-27

The TLS connection to elpa.gnu.org:443 is insecure
for the following reasons:

* certificate has expired
* certificate could not be verified
```

Output of `gnutls-cli.exe elpa.gnu.org:

```
|<1>| There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 
Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority.
|<1>| There was a non-CA certificate in the trusted list: 
C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority.
|<1>| There was a non-CA certificate in the trusted list: CN=Root Agency.
Processed 55 CA certificate(s).
Resolving 'elpa.gnu.org:443'...
Connecting to '209.51.188.89:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=elpa.gnu.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 
0x032e7afac8c8ff8acef5382c75dc16538637, RSA key 2048 bits, signed using 
RSA-SHA256, activated `2021-09-28 20:42:42 UTC', expires `2021-12-27 20:42:41 
UTC', pin-sha256="WYj0qX4c/Xw7gDsCopUPyykUZoDxWda2RX3oSCAMTKE="
        Public Key ID:
                sha1:5641117962b98566f89ee43b392d5fa6a5c7e92d
                
sha256:5988f4a97e1cfd7c3b803b02a2950fcb29146680f159d6b6457de848200c4ca1
        Public Key PIN:
                pin-sha256:WYj0qX4c/Xw7gDsCopUPyykUZoDxWda2RX3oSCAMTKE=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet 
Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA 
key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', 
expires `2025-09-15 16:00:00 UTC', 
pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer 
`CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, 
activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', 
pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate chain uses expired 
certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
```

In `certlm.msc`, under "Certificates - Local Computer\Trusted Root
Certification Authorities\Certificates" there is a "DST Root CA X3"
certificate expiration 9/30/2021 serial number
44afb080d6a327ba893039862ef8406b.

There is also an "ISRG Root X1" certificate expiration 6/4/2035 serial number 
008210cfb0d240e3594463e0bb63828b00.

It looks like GnuTLS is trying to check the certificate chain using the
DST Root CA X3 which has expired. The serial number and expiration for
the ISRG Root X1 in the certificates provided by elpa.gnu.org does not
match the one that Windows trusts.

Is this something that can be fixed on elpa.gnu.org? Something that I
need to fix in Windows?


In GNU Emacs 27.2 (build 1, x86_64-w64-mingw32)
 of 2021-03-26 built on CIRROCUMULUS
Repository revision: deef5efafb70f4b171265b896505b92b6eef24e6
Repository branch: HEAD
Windowing system distributor 'Microsoft Corp.', version 10.0.19043
System Description: Microsoft Windows 10 Home (v10.0.2009.19043.1237)

Configured using:
 'configure --without-dbus --host=x86_64-w64-mingw32
 --without-compress-install 'CFLAGS=-O2 -static''

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND NOTIFY W32NOTIFY ACL GNUTLS LIBXML2
HARFBUZZ ZLIB TOOLKIT_SCROLL_BARS MODULES THREADS JSON PDUMPER LCMS2 GMP

Important settings:
  value of $LANG: en_US
  locale-coding-system: utf-8-unix