update test_silo_certificates

[ahl]

Theses tests are intended to validate what happens when we use the wrong certificate to connect to a silo

omicron/nexus/tests/integration_tests/certificates.rs

Lines 588 to 627 in ea2f4d2

	// For good measure, to make sure we got the certificate stuff right, let's
	// try to use the wrong certificate to reach each endpoint and confirm that
	// we get a TLS error.
	let silo2_client_wrong_cert = silo2.oxide_client(
	silo3.reqwest_client(),
	resolver.clone(),
	AuthnMode::SiloUser(silo2_user),
	nexus_port,
	);
	let error =
	silo2_client_wrong_cert.current_user_view().send().await.expect_err(
	"unexpectedly connected with wrong certificate trusted",
	);
	if let oxide_client::Error::CommunicationError(error) = error {
	assert!(error.is_connect());
	assert!(error.chain().to_string().contains("self-signed certificate"));
	} else {
	panic!(
	"unexpected error connecting with wrong certificate: {:#}",
	error
	);
	}
	let silo3_client_wrong_cert = silo3.oxide_client(
	silo2.reqwest_client(),
	resolver.clone(),
	AuthnMode::SiloUser(silo2_user),
	nexus_port,
	);
	let error =
	silo3_client_wrong_cert.current_user_view().send().await.expect_err(
	"unexpectedly connected with wrong certificate trusted",
	);
	if let oxide_client::Error::CommunicationError(error) = error {
	assert!(error.is_connect());
	assert!(error.chain().to_string().contains("self-signed certificate"));
	} else {
	panic!(
	"unexpected error connecting with wrong certificate: {:#}",
	error
	);

As @jmpesp notes:

I'm not sure this check is right: it looks like this part of the test is meant to check that a client can't connect using the wrong certificate, and this check is asserting it won't trust a self-signed certificate. That's not quite the same thing. I think we need either add_root_certificate or danger_accept_invalid_certs in order to test that the client accepts the self-signed cert but fails due to the incorrect certificate being used.