crypto/x509: ignore harmless edge case in TestSystemRoots
The no-cgo validation hack lets in certificates from the root store that
are not marked as roots themselves, but are signed by a root; the cgo
path correctly excludes them. When TestSystemRoots compares cgo and
no-cgo results it tries to ignore them by ignoring certificates which
pass validation, but expired certificates were failing validation.
Letting through expired certs is harmless anyway because we will refuse
to build chains to them.