CN = Equifax Secure Global eBusiness CA-1
O = Equifax Secure Inc.
C = US
which was missing from my ca-certificates configuration (unchecked in debconf). I'm pretty sure I never touched this, and the changelog says it was disabled temporarily by the maintainer, so I suspect a bug.
Twitter's SSL certificate seems to be signed by:
CN = Equifax Secure Global eBusiness CA-1
O = Equifax Secure Inc.
C = US
which was missing from my ca-certificates configuration (unchecked in debconf). I'm pretty sure I never touched this, and the changelog says it was disabled temporarily by the maintainer, so I suspect a bug.