New comment by sgn on void-packages repository

https://github.com/void-linux/void-packages/issues/31161#issuecomment-881979791

Comment:
Hm, the problem is not our `ca-certificates`, https://code.soundsoftware.ac.uk is signed by an intermediate certfificates, which in turn signed by `QuoVadis Root CA 2 G3`, our current ca-certificates has that root certs already.

However, https://code.soundsoftware.ac.uk doesn't send the full certificate chain, so neither openssl nor curl can verify.
You can confirm by:
```sh
{
    curl -L http://trust.quovadisglobal.com/quovadiseuropeevsslcag1.crt |
        openssl x509 -inform DER -outform PEM
    openssl s_client -showcerts -servername code.soundsoftware.ac.uk -connect code.soundsoftware.ac.uk:443 </dev/null
} >fullchain.pem
openssl verify fullchain.pem
```

Solution:
- Each of those servers should send the full chain; or
- Changing out libfetch to inspect certificate and download the intermediate certificates.