Support "alternate" certificate links for different Root CA

[shibayan]

Let's Encrypt will switch to ISRG Root CA starting September 29, 2020.

However, due to the lack of support on some Android devices, the current IdenTrust Root CA is also provided with an alternate HTTP header.

Ref

• https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html
• Handling the Let's Encrypt certificate chain switchover certbot/certbot#6971
• certbot: add --preferred-chain certbot/certbot#8080

[ebekker]

Additional refs:

• https://community.letsencrypt.org/t/workflow-for-using-alternate-link-relation/129321
• According to https://tools.ietf.org/html/rfc8555#section-7.4.2 the server MAY provide one or more additional certificate download URLs, each pointing to an alternative certificate chain starting with the same end-entity certificate.