The SSL certificate for https://distfiles.gentoo.org is broken
"The certificate does not apply to the given host"
distfiles.gentoo.org has never had SSL, because we don't control those hosts, despite the domain name.
It is merely a round-robin DNS name to our many mirror hosts.
The security instead comes from external sources such as manifested repositories for source downloads and GPG signed stage3 downloads.
If you don't mind added latency, you can use the distfiles target of bouncer:
(append the filename you want afterwards)
It will not downgrade your request to HTTP (requests MAY be upgraded, but not downgraded).
You can see in the mirror data that about half of the mirrors have SSL (28 of 59).
If you see somewhere that explicitly has "https://distfiles.gentoo.org/" written, please report it as a new bug, it should be changed to http:// explicitly.