GnuTLS usually ships a directory or a bundle of "well-known" CA certificates, which allow automatic verification of most "real" (i.e. non-autogenerated) certificates. These ones have to be loaded though, which is not done in the current release of Taskwarrior and results in users to manually configure the CA files (see https://gist.github.com/polettix/e8007a7f2064e7f133d93e060032a880 for a solution involving Let's Encrypt).
As of release 3.0.20 of GnuTLS there is a convenience function to load certificates installed in the system. The following patch (diff taken against branch 2.5.2) takes care to call it if possible.
diff --git a/src/TLSClient.cpp b/src/TLSClient.cpp
index cb87d1d..434392b 100644
Flavio Poletti on 2016-10-01T19:27:50Z says:
GnuTLS usually ships a directory or a bundle of "well-known" CA certificates, which allow automatic verification of most "real" (i.e. non-autogenerated) certificates. These ones have to be loaded though, which is not done in the current release of Taskwarrior and results in users to manually configure the CA files (see https://gist.github.com/polettix/e8007a7f2064e7f133d93e060032a880 for a solution involving Let's Encrypt).
As of release 3.0.20 of GnuTLS there is a convenience function to load certificates installed in the system. The following patch (diff taken against branch 2.5.2) takes care to call it if possible.
diff --git a/src/TLSClient.cpp b/src/TLSClient.cpp index cb87d1d..434392b 100644
+#if GNUTLS_VERSION_NUMBER >= 0x030014
if (_ca != "" && (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CA file. {1}", gnutls_strerror (ret));