## Description of problem: Cockpit (which uses gnuTLS) rejects certificate chain with distributed trust. The provided certificate file contains the certificate C for the TLS endpoint, followed by 3 chains of trust (Interm 2A, Interm 1A, Root A). The three roots cross-signed each other. Chain looks like so in PEM format: C Interm 2A Interm 1A Interm 2B Interm 1B Interm 2C Interm 1C KeyRootA_SignedB KeyRootA_SignedC KeyRootB_SignedA KeyRootB_SignedC KeyRootC_SignedA KeyRootC_SignedB Root A Root B Root C This is not a public chain. ## Version of gnutls used: gnutls-3.8.2-2.fc39.x86_64 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora 39 ## How reproducible: Steps to Reproduce: If I run (checks the certificates that will be used by cockpit): $ sudo /usr/libexec/cockpit-certificate-ensure --check with the above chain, I get the following error from gnuTLS cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. If I delete the cross-signed certifications of the roots from the chain, i.e.: KeyRootA_SignedB KeyRootA_SignedC KeyRootB_SignedA KeyRootB_SignedC KeyRootC_SignedA KeyRootC_SignedB then there is no error. Sorting this list of certificates should not cause an assertion.