When we get a primary result, but the primary result is too stale
(>60h), try to serve from the secondary instead. This allows us to
smoothly transition into the "ocsp-updater no longer updates MariaDB"
regime.
If the primary result is too stale, and the secondary returns an
error, go ahead and serve the primary result. This could happen if
ocsp-updater falls behind. We would still like to try and serve an OCSP
response from the primary at until its actual expiration date
(168h currently). This preserves our current graceful failure mechanism
when ocsp-updater is not running for many hours.
Also, in the case where secondary returns first but primary has a
fresher response, serve the primary's response. This ensures we always
serve the freshest available, for instance if Redis stops getting
updates for a while.
Related to #6079
e1243993d3