Description of problem: Repo auth is using OpenSSL's X509_STORE_CONTEXT::verify_cert() to validate a certificate. If this is successful it returns 1, on failure 0. We could add a callback into M2Crypto and OpenSSL which would tell us more information about why a certificate failed verification. When a certificate fails verification we want to log a reason in apache's logs.
Refer to below m2crypto patches for possible solutions to exposing the verify callback. https://bugzilla.osafoundation.org/show_bug.cgi?id=11690 and Patch: https://bugzilla.osafoundation.org/attachment.cgi?id=5710
The patched version of m2crypto was removed with commit f435a14. It looks like there is logging in the current cert verification that should be sufficient. Marking bz as closed/currentrelease but feel free to re-open if you see any particular use cases that are not logged appropriately.