On Tue, 2021-11-23 at 18:14 -0500, Jack wrote: > OK, here's something. > > I changed my stable version of ca-certificates from -cacert to > cacert, > and now I get the same failure you do. So - it's due to either > something in nss-cacert-class1-class3-r2.patch which only gets > applied > if that USE flag is set, or to something else only done when that > USE > flag is set. > > I don't understand it, but it's a place to start - and note the note > in > the ebuild: > > # When triaging user reports, refer to our wiki for tips: > # > https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues >
Another update, I have masked ~arch ca-certificates: >app-misc/ca-certificates-20210119.3.66 Downgraded to stable one, and now certificate verification is successful with gnutls-cli on my test example. Weird since it didn't fail to verify similar chains with newer app-misc/ca-certificates. I will file a bug report, but still not sure which component app-mist/ca- certificates or net-libs/gnutls. Regards, Branko