When senza looks up SSL certificates for the LB listeners is picks the first one that matches the domain name.

This can return a certificate that is not valid.

The list of eligible certificates should only include valid certificates and, ideally, sort them like we did for https://github.com/zalando-incubator/kube-ingress-aws-controller/blob/master/certs/matching.go#L21