tls-util: Fix ssl_root_cert to load all certs from PEM bundles

[def-]

X509::from_pem only reads the first certificate from a PEM bundle, so if ssl_root_cert contains multiple CA certificates (e.g., root + intermediates or multiple roots), only the first is loaded into the trust store. This causes TLS verification to fail with "unknown ca" when the relevant trust anchor is not the first cert in the bundle, diverging from libpq behavior which accepts CA bundles.

Fix by using X509::stack_from_pem (which parses all certs) and adding each to the cert store, mirroring the pattern already used in pkcs12der_from_pem in the same file.

Bug introduced in PR #13552 which changed from file-based set_ca_file() to in-memory add_cert(X509::from_pem()).

[github-actions]

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

• Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
• Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
• Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

• The PR title is descriptive and will make sense in the git log.
• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

[def-]

Ready for review

[martykulma]

lgtm, thanks @def- !