Comment 10 for bug 1864689

So, in their chain of certs that they present there is still an RSA-SHA1 certificate. It shouldn't affect validation, as the other certs in the chain are sufficient (for example gnutls-cli toodledo.com connects fine) but it does trip up openssl:

- Certificate[3] info:
 - subject `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', issuer `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', serial 0x00, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2004-06-29 17:06:20 UTC', expires `2034-06-29 17:06:20 UTC', pin-sha256="VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8="

Now, they could remove that cert from the chain that their server uses. But also they should not need to do this and openssl should just work.