I'm no expert on SSL certificates but I think I did this correctly and
  curl is happy (thus Git too) with https://git.gnus.org

  The "CAcert Class 3 Root" is the issuer of the git.gnus.org certificate
  and the "CA Cert Signing Authority" is next in the chain, as shown by
  Chrome.  So I think they are all offered by the server correctly.  I
  didn't have time to update the docs this morning, but please let me know
  if there's a problem with the setup.

I changed .git/config to edit remote to https for git.gnus.org, and then
got a cert failure.  I then installed the cacert root ca in
/etc/openssl/certs (NetBSD), and git remote update now prompts for a
password.

So

  I think the cert is fine

  anonymous fetching over https doesn't work (and maybe it's not
  intended to work)