--preferred-chain: only match root name

[aarongable]

Currently, when certbot is given the --preferred-chain='Some Name'
flag, it iterates through all alternate chains offered by the ACME
server until it finds any certificate which has 'Some Name' as its
Issuer Common Name. Unfortunately, this means that if the desired
alternate chain is a strict subset of any earlier chain (e.g. the
default chain is 'EE <-- Int <-- Root1 <-- Root2', but the desired
chain is 'EE <-- Int <-- Root1'), there is no name which can be
provided by the user which will allow the client to select the desired
chain.

This change makes it so that the find_chain_with_issuer logic only
cares about the Issuer Common Name found in the last certificate in
each chain. In the example above, the user would then be able to get
their desired chain by specifying --preferred-chain='Root1': although
that name appears in the default chain, it does not appear in the
highest certificate of that chain.

This change is technically backwards-incompatible. However, the only
advice that has been given to users of certbot (and the only use-case
that we believe has existed so far) involved setting the flag to a
value that is the name of a root, not an intermediate, so we don't
expect any real-world configurations or use-cases to be broken.

Fixes #8577

Pull Request Checklist

• If the change being made is to a distributed component, edit the master section of certbot/CHANGELOG.md to include a description of the change being made.
• Add or update any documentation as needed to support the changes in this PR.
• Include your name in AUTHORS.md if you like.

[alexzorin]

Looks good!

[alexzorin]

Thanks very much for writing this!