monitor self-signed certs

in #41633 (closed), we've implemented basic certificate expiry checks for sites that are monitored in Prometheus, and in #41731 (closed) we monitor all public certs deployed by Puppet.

But we still have other certificates that we don't correctly check. The db.tpo self-signed cert (which should be autorenewed, see #41482) is due for a kick in February 2026 and definitely needs monitoring, and so do the "auto-ca" stuff (thishost.pem). In #41633 (closed), this was marked as this task:

• dsa-check-cert-expire (cert-exporter, checks local CA for expiry, on disk, /etc/ssl/certs/thishost.pem and db.torproject.org.pem on each host)

This, it turns out, was kind of whacky: thishost.pem doesn't exist anywhere, and there's stuff nagios doesn't check we do want to check. so here's an actual task list:

• /etc/ssl/certs/db.torproject.org.pem on alberti (path to confirm)
• /etc/puppet/modules/ssl/files/certs/ca.crt on pauli
• the puppet CA cert on pauli (which is different from the above)

this was postponed in Phase A because it didn't seem like a short-term priority for Nagios' retirement, and that we didn't have any problems with thishost.pem in the past. db.tpo is a different story, but doesn't expire before February 2026, so it was deprioritized as well.

Setting a due date about a quarter before the February 2026 outage.