From: "Thierry Vignaud"

Humm interestingly, Fedora compiles pk11-kit with:
 -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source

We don't have those directories.
But both are provided by ca-certificates on FC… which packages certificates
from NSS/firefox…

See eg:

Summary: The Mozilla CA root certificate bundle
(…)
# The files should be taken from a released version of NSS, as published
# at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
#
# The versions that are used by the latest released version of
# Mozilla Firefox should be available from:
#
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
#
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
(…)
%description
This package contains the set of CA certificates chosen by the
Mozilla Foundation for use with the Internet PKI.


I guess we should do something similar in rootcerts…

I did a quick test:
- installing ca-certificates from FC (with --force due to file conflicts
with MGA'srootcerts)
- compiling & updating pk11-kit with:
--- SPECS/p11-kit.spec  (révision 1590464)
+++ SPECS/p11-kit.spec  (copie de travail)
@@ -67,6 +67,7 @@

 %build
 %meson -Dgtk_doc=true \
+
-Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source
\
        -Dman=true
 %meson_build

And indeed chromium works again…

FC added trusted certificates there:
https://src.fedoraproject.org/rpms/ca-certificates/c/708646cc4665fb5874c1df69b2b9601ded87e2de

Hope that enables you to do sg similar in our rootcerts…
See you