When working on the ca-certificates package for version 2.1 and 2.2, I made two mistakes when gathering which CAs should get the legacy status. In short, two AOL roots don't need to be included as legacy, but two NetLock roots should be included as legacy CAs. I have documented the full details on the project web page: https://fedoraproject.org/wiki/CA-Certificates
ca-certificates-2015.2.3-1.0.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/ca-certificates-2015.2.3-1.0.fc22
ca-certificates-2015.2.3-1.0.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/ca-certificates-2015.2.3-1.0.fc21
ca-certificates-2015.2.3-1.0.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ca-certificates-2015.2.3-1.0.fc20
Package ca-certificates-2015.2.3-1.0.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ca-certificates-2015.2.3-1.0.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-4486/ca-certificates-2015.2.3-1.0.fc20 then log in and leave karma (feedback).
ca-certificates-2015.2.3-1.0.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.