ci: Fix Python Windows Cert Store issue properly

Just import Mozilla's CA certs from certifi so that all root certs are
available. This fixes meson being unable to download any subproject
sources for caching.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5043>

ci/docker/windows/prepare_gst_env.ps1

@@ -1,9 +1,18 @@
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
 
-# FIXME: Python fails to validate github.com SSL certificate, unless we first
-# run a dummy download to force refreshing Windows' CA database.
-# See: https://bugs.python.org/issue36137
-(New-Object System.Net.WebClient).DownloadString("https://github.com") >$null
+# FIXME: Python fails to validate SSL certificates because of an incorrect
+# schannel implementation. Windows downloads CA certs dynamically as required,
+# and Python doesn't do the right thing to trigger that. So, add Mozilla's
+# certs (via certifi) to the windows cert store manually. See:
+# https://bugs.python.org/issue36137
+# https://bugs.python.org/issue36011
+
+python -m pip install certifi
+$cert_pem = python -m certifi
+$plaintext_pw = 'PASSWORD'
+$secure_pw = ConvertTo-SecureString $plaintext_pw -AsPlainText -Force
+C:\msys64\ucrt64\bin\openssl.exe pkcs12 -export -nokeys -out $env:TEMP\certs.pfx -in $cert_pem -passout pass:$plaintext_pw
+Import-PfxCertificate -Password $secure_pw  -CertStoreLocation Cert:\LocalMachine\Root -FilePath $env:TEMP\certs.pfx
 
 Write-Host "Cloning GStreamer"
 git clone -b $env:DEFAULT_BRANCH https://gitlab.freedesktop.org/gstreamer/gstreamer.git C:\gstreamer
@@ -13,5 +22,5 @@ Write-Host "Downloading subprojects"
 meson subprojects download --sourcedir C:\gstreamer
 
 Write-Host "Caching subprojects into /subprojects/"
-python C:\gstreamer/ci/scripts/handle-subprojects-cache.py --build C:\gstreamer/subprojects/
+python C:/gstreamer/ci/scripts/handle-subprojects-cache.py --build C:/gstreamer/subprojects
 Remove-Item -Recurse -Force C:\gstreamer