Comment 17 for bug 1424549

It seems that the problem is (1). (but it isn't quite what I expected) The certificates in your file are completely different from what I would expect, in order to properly validate. The leaf certificate in your file (per "openssl x509 -inform pem -in <file> -text", after placing the individual certificate into <file>) is the following:

        Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2
        Validity
            Not Before: Apr 8 08:26:03 2014 GMT
            Not After : Oct 15 16:10:53 2014 GMT
        Subject: OU=Domain Control Validated, CN=entropy.ubuntu.com

The remainder of the certificates in the file are the CA and intermediate certificates.

Maybe out of date MAAS images are at fault? (though if the packages get updated, you shouldn't see this problem, since you'll get a new "pinned" certificate chain.) You could try updating the MAAS images, or even try using the 'daily' URL (which is updated for security updates and/or every couple of weeks with the latest updated packages):

https://maas.ubuntu.com/images/ephemeral-v2/daily/

Perhaps the daily images contain the appropriate certificates. And I hope that's still the case in 20 hours. ;-) I just checked, and the following certificate is actually in *my* pinned trust store:

        Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
        Validity
            Not Before: Aug 7 00:00:00 2015 GMT
            Not After : Aug 11 12:00:00 2016 GMT
        Subject: C=GB, ST=Southwark, L=London, O=Canonical Group Ltd, CN=entropy.ubuntu.com

So my conclusion is that everything should work fine, provided that you have the most up-to-date MAAS images.