Keep returning ERROR_ONION_WITH_SELF_SIGNED_CERT only for .onion sites whose cert throws ERROR_UNKNOWN_ISSUER

5ae2df82 from Mozilla mixed with our ca4d65c8 causes ERROR_ONION_WITH_SELF_SIGNED_CERT to be returned for more cases than we would want.

Let's our patch behave like it used to and make an exception only for ERROR_UNKNOWN_ISSUER.