overlayfs regression - caused by adding some changes for shiftfs to
special-case overlayfs - BUT in-fact was already present in overlayfs and
this just manifested it - so for now revert the shiftfs related changes
until is fixed properly in overlayfs itself
“AddTrust Exteral Root CA” certificate had expired - curl and other
applications would fail to connect if they found a certificate chain
which validated via this cert (even if other paths in the chain would be
valid) - removing this cert is the easiest way to fix the issue.