The “certificate issuer is not built-in” error is a red-herring […] The built-in pins have an expiration date that’s supposed to be about 90 days out from the release, updated weekly. Turns out the automation was broken on the ESR branch […] That means the AMO pins expired on Sept 3 in releases based on 45.3
Turns out this went down the wrong rabbit hole. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1303127#c1