Created attachment 943418 [details] chain of valid certs for this server $ openconnect --cafile scsir-certchain.crt scsir.intel.com POST https://scsir.intel.com/ Attempting to connect to server 213.190.153.55:443 SSL negotiation with scsir.intel.com Server certificate verify failed: signer not found If I hack openconnect's gnutls.c to eliminate the call to gnutls_certificate_set_x509_system_trust() so it's *only* using the user-provided certs, then it works fine. Note that in this case none of the relevant certs are actually *in* the system database. It looks like we just aren't *bothering* with the provided trust file.
The issue has been addressed upstream: https://gitorious.org/gnutls/gnutls/commit/24c4991469509d7a57d8d61ab619a19a2034bdc7
gnutls-3.3.9-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/gnutls-3.3.9-1.fc21
Package gnutls-3.3.9-1.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-3.3.9-1.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-12774/gnutls-3.3.9-1.fc21 then log in and leave karma (feedback).
gnutls-3.3.9-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.