Debian certificate store does not trust InCommon signer

[geofft]

geofft@leveret:~$ gnutls-cli scripts.mit.edu -p 443
Resolving 'scripts.mit.edu'...
Connecting to '18.181.0.43:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1022 bits
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject `serialNumber=sKLt5io360jM-oAd2EGLNK0EraXwXE46,C=US,ST=Massachusetts,L=Cambridge,O=Massachusetts Institute of Technology,OU=scripts.mit.edu web hosting service,CN=scripts.mit.edu', issuer `C=US,O=GeoTrust\, Inc.,CN=GeoTrust SSL CA', RSA key 4096 bits, signed using RSA-SHA1, activated `2011-05-24 11:40:52 UTC', expires `2016-06-24 16:28:06 UTC', SHA-1 fingerprint `422672285446d04a057fb038d917ab39fa868c02'
 - Certificate[1] info:
  - subject `C=US,O=GeoTrust\, Inc.,CN=GeoTrust SSL CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-02-19 22:39:26 UTC', expires `2020-02-18 22:39:26 UTC', SHA-1 fingerprint `780a06f6e9b4061cad0c6502710606eb535f1c26'
- The hostname in the certificate matches 'scripts.mit.edu'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

You see the same sort of thing with an OpenSSL-using client (openssl, socat, etc.).

I am a little confused, because Iceweasel trusts it just fine, and I _thought_ that Debian had hacked up iceweasel / its libnss3 to use the system certificate store -- also because I thought Debian regularly syncs ca-certificates with the Mozilla list of trusted certs (and then makes some capricious changes on their own like including CACert, but).

[kaduk]

This is only closed for stretch and later, right?

[andersk]

Closed in jessie (ca-certificates 20141019+deb8u1) and stretch+ (ca-certificates 20150426).