acme: add preferred_chain option
Let's Encrypt currently (cross)signs its certificates with both ISRG Root X1
and DST Root CA X3
: https://community.letsencrypt.org/t/production-chain-changes/150739
This breaks on DoH/DoT servers used as Android Private DNS
because Android excepts each single CA which signed/crosssigned the certificate to be valid, instead if it already met a well-known valid one during the bottom-up validation.
This MR adds the ability to configure a custom preferred chain globally or for each certificate.