update-ca-certificates should be used with --fresh when changing trusted_ssl_ca

Performing a clean deployment o-s-c with an incorrect `trusted_ssl_ca`, for example, an empty input or a combined certificates, the `update-ca-certificates` will skipped creating symbolic links to files named by the hash values (see man openssl rehash), and ends with a missing link

```
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 61 Feb 22 09:15 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
```

Further re-configuring `trusted_ssl_ca` will not create the missing link because the charm runs `update-ca-certificates` without `--fresh`. This may cause results "in unable to get local issuer certificate" in `check_ssl_cert` check. The missing link can be recreated by `update-ca-certificates --fresh`.

```
/etc/ssl/certs$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
/etc/ssl/certs$ sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
125 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 61 Feb 22 09:15 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 28 Feb 22 09:21 8d2fba8c.0 -> openstack-service-checks.pem
lrwxrwxrwx 1 root root 61 Feb 22 09:21 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
```

Note, the missing symlink is important for `check_ssl_cert` to find the certificates and work properly. Also, see the attachment for complete stdout output.