A friend of mine is able to reproduce this error on an updated Fedora 34 as well.

Deploying the new pem as described in the related D25023 fixed the issue.

Adding for refs https://discourse.phabricator-community.org/t/arc-blind-trusting-domains-and-cert-errors/4980/4

What was the original rationale behind shipping a certificate bundle with Arcanist? It may be better to rely on the system certificate bundle instead (that also tends to have certificates from, for example, internal company issuers as well).

This is what the README says - And maybe we should remove support for the default.pem altogether? (But, possibly leave support for custom.pem)

https://we.phorge.it/source/arcanist/browse/master/resources/ssl/README;4230292997cef41ae2ec3259db009ce372b9ae79?as=remarkup

This document describes how to set Certificate Authority information.
Usually, you need to do this only if you're using a self-signed certificate.

OSX after Yosemite

If you're using a version of Mac OSX after Yosemite, you can not configure
certificates from the command line. All libphutil and arcanist options
related to CA configuration are ignored.

Instead, you need to add them to the system keychain. The easiest way to do this
is to visit the site in Safari and choose to permanently accept the certificate.

You can also use security add-trusted-cert from the command line.

All Other Systems

If "curl.cainfo" is not set (or you are using PHP older than 5.3.7, where the
option was introduced), libphutil uses the "default.pem" certificate authority
bundle when making HTTPS requests with cURL. This bundle is extracted from
Mozilla's certificates by cURL:

http://curl.haxx.se/docs/caextract.html

If you want to use a different CA bundle (for example, because you use
self-signed certificates), set "curl.cainfo" if you're using PHP 5.3.7 or newer,
or create a file (or symlink) in this directory named "custom.pem".

If "custom.pem" is present, that file will be used instead of "default.pem".

If you receive errors using your "custom.pem" file, you can test it directly
with curl by running a command like this:

curl -v --cacert path/to/your/custom.pem https://phabricator.example.com/

Replace "path/to/your/custom.pem" with the path to your "custom.pem" file,
and replace "https://phabricator.example.com" with the real URL of your
Phabricator install.

The initial lines of output from curl should give you information about the
SSL handshake and certificate verification, which may be helpful in resolving
the issue.

+1 to removing default.pem
/shrug on keeping custom.pem

Adding custom certificates to the system bundle on Linux is easy enough and usually necessary anyways, so if it takes additional work to keep custom.pem, I'd just drop it.

I also noticed that some of the technical issues (existence of curl.cainfo) would be resolved by T15047

I think updating the current pem file is a good holdover patch for now (sorry for the delay in reviewing the change). Re-working how arcanist manages certs is something we can look at addressing long-term.

We've picked up an updated version of the pem at https://secure.phabricator.com/D21739 - it's not the latest, but is it recent enough?

I submitted D25049 for review on the 26th to address certs signed by the ISRG Root X2 root that is in the updated default.pem file.

@avivey the one in upstream does not contain the new ISRG Root X2 CA.