Created attachment 371196 [details]
gnutls-cli output showing bad cert
Lists.gentoo and mail.gentoo use CACert-signed tls end-entity certs.
The intermediate certs on both are cacert’s old md5-signed intermediate. As such, gnutls — and perhaps other tls libs — refuse to trust it, even when cacert’s root cert is trusted.
Cacert issued a new intermediate in 2011 which is signed with sha256.
Mail.gentoo uses the new intermediate. Lists.gentoo also needs to.
For lists, this only requires using the new intermediate; the rest of the config is OK.
(tls to mail.gentoo fails because its cert is for dev.gentoo; it would be useful to have cacert issue it its own ee cert.)
We no longer have CACert certificates in use.