Known devices with expired CAs can no longer connect

[dnrce]

Describe the bug
In our org we manually pin certs for each of our devices, rendering the device CA chain-of-trust essentially moot. We don't have CAs added to the org, because our understanding has been that org device CAs are only needed for trust during JITP. This has worked well for us in the past, but after an attempted upgrade to NervesHub v1.0.0, some of our devices were unable to reconnect to NervesHub due to a certificate error. The client logs:

13:59:14.466 [error] GenStateMachine #PID<0.21479.49> terminating
** (exit) {:socket_error, {:tls_alert, {:internal_error, 'TLS client: In state connection received SERVER ALERT: Fatal - Internal Error\n '}}}
    (stdlib 3.13) gen_statem.erl:1360: :gen_statem.loop_state_callback_result/11
    (stdlib 3.13) proc_lib.erl:226: :proc_lib.init_p_do_apply/3

and the device server logs:

14:30:53.432 [notice] TLS :server: In state :wait_cert at ssl_handshake.erl:362 generated SERVER ALERT: Fatal - Internal Error
 - {:unexpected_error, {:case_clause, :cert_expired}}

The affected devices were provisioned with CAs that have since expired. Even though their device certs are known, they are now being rejected when attempting to connect. This seems to be related to OTP 24 and specifically to e67f4a6.

To Reproduce
Steps to reproduce the behavior:

1. Provision a device with a pinned cert (i.e. non-JITP) from an expired CA in an older version of NervesHub (tested with 8c1dc08).
2. Update NervesHub past e67f4a6.
3. The device can no longer connect.

Expected behavior
The device is able to connect despite having an expired CA.