I guess it's to be expected. Here is what `openssl s_client
graph.facebook.com:443` prints:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert
High Assurance EV Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.
facebook.com
i:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High Assurance CA-3
1 s:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High Assurance CA-3
i:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High
Assurance EV Root CA
2 s:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High
Assurance EV Root CA
i:/C=US/O=Entrust.net/OU=
www.entrust.net/CPS incorp. by ref.
(limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure
Server Certification Authority
AFAIK, all of DigiCert's signing authority has been revoked so it's no
wonder the certificate doesn't validate.
It *is* rather peculiar that the curl on my system accepts it just
fine, though. Maybe my system's certificate store needs updating...