ca-certificates-mozilla does not trust sites behind cloudflare / SSL.COM certification

Description:

As of 2025-05-23, the Arch Linux TLS stack does not trust certain sites that are behind Cloudflare's services. Any application that uses the OS certificates that attempts to will meet an "unknown issuer" error with varying wording.

During a discussion in the #archlinux IRC, in which many other members tested and reproduced the error, it was found out that the issue lays in the ca-certificates-mozilla package with (if memory does not fail me) the issue at hand being that, during an update of said package, the trust on SSL.COM certificates was dropped and sites signed by this issuer became untrusted.

I do not know if this was intentional or not, nor if the resolution of this issue lies with Arch's packaging team or an external actor (Mozilla? Cloudflare?), but @maintainer: please be aware of this issue. If this cannot be fixed from Arch's side, perhaps we could make the upstream aware of it?

An example website involving this issue is https://c.im (a Mastodon instance).

Additional info:

• package version(s): ca-certificates-mozilla-3.111-1
• config and/or log files: error message with verbose output -> https://0x0.st/8wNs.txt
• link to upstream bug report, if any: (?)

Steps to reproduce:

1. Install latest ca-certificates-mozilla and an application that uses the OS's TLS stack, like curl, wget, dillo, etc.
2. Connect the application with https://c.im, for example: curl https://c.im.
3. The application cannot complete the request due to a certificate error.

Workaround

Downgrading ca-certificates-mozilla to version 3.110-1 restores expected behavior to the system's TLS stack. For now, I marked the package to be ignored in /etc/pacman.conf.