Reload certificates for all client credential based issues

[tlupes]

Reload certificates for all client credential based issues

• You've read the Contributor Guide and Code of Conduct.
• You've included unit or integration tests for your change, where applicable.
• You've included inline docs for your change, where applicable.
• There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Change retry logic to reload certificates on all credential issues, not just revocation/expiration.

Description

The current behavior of the library is to reload and retry certificates in the event that the certificate fails for one of the following two issues:

• The certificate has been revoked.
• The certificate has expired.

There is a great many other reasons that authentication can fail that fall outside of these two scenarios. If any of those additional scenarios occur the certificate will never be reloaded.

As a result, if a bad certificate is installed on the machine and picked up, and subsequently rotated, a service restart is needed for the new certificate to be used.

Fixes #3429

[tlupes]

I am not sure how I can run the extended tests locally (I get credential missing issues even without this change). If they aren't run during merge, let me know how I can run them locally :)

[tlupes]

Integration tests all happy locally!

[jmprieur]

discussed risks with Bogdan for other invalid_client (bad GUID). This is only one retry so taking it