Using DEBUG=validator often shows what failed.
Or DEBUG=tls,x509:3,validator,certstore,privkey to show full details, but this could be to much information making it harder to spot the issue.
If you want to trust multiple root certificates, use one certificate per file and specify all files separated with comma as described in the commit that introduced the feature.
show unixtime:int32 to see current time in seconds of device and compare that to current actual time.