It seems that https://distfiles.gentoo.org/ delivers to content of https://gentoo.ussg.indiana.edu/ which uses an expired certificate. You may tell them to renew certificate or stop SSL.
nope, distributing a shared certificate would be far too much work, since each mirror runs independently. if you connect to 443 and get certificate error, that's as much your fault as connecting to 6697 and getting certificate error.