I looked a bit at the gio code this morning and it appears the problem with the site in question is that gtlsdatabase-gnutls.c:build_certificate_chain does not find a "anchor" and therefore passes NULL as the anchors to gnutls_x509_crt_list_verify() which always fails with " *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;" in lib/x509/verify.c:_gnutls_verify_certificate2. The cli version of gnutls seems to simply pass the list of all trusted CAs to gnutls_x509_crt_list_verify() instead of trying to find the right trusted CA itself (which looks like a more sensible approach to me).
I looked a bit at the gio code this morning and it appears the problem with the site in question is that gtlsdatabase- gnutls. c:build_ certificate_ chain does not find a "anchor" and therefore passes NULL as the anchors to gnutls_ x509_crt_ list_verify( ) which always fails with " *output |= GNUTLS_ CERT_SIGNER_ NOT_FOUND | GNUTLS_ CERT_INVALID; " in lib/x509/ verify. c:_gnutls_ verify_ certificate2. The cli version of gnutls seems to simply pass the list of all trusted CAs to gnutls_ x509_crt_ list_verify( ) instead of trying to find the right trusted CA itself (which looks like a more sensible approach to me).