OK, here's something.
I changed my stable version of ca-certificates from -cacert to cacert,
and now I get the same failure you do. So - it's due to either
something in nss-cacert-class1-class3-r2.patch which only gets applied
if that USE flag is set, or to something else only done when that USE
flag is set.
I don't understand it, but it's a place to start - and note the note in
the ebuild:
# When triaging user reports, refer to our wiki for tips:
# https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
