As pointed out by claudio, like most of the RFC 3779 stuff, X509_V_ERR_UNNESTED_RESOURCE is missing from our documentation. Here's a stab at summarizing what this error means.
Index: man/X509_STORE_CTX_get_error.3 =================================================================== RCS file: /cvs/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3,v retrieving revision 1.20 diff -u -p -r1.20 X509_STORE_CTX_get_error.3 --- man/X509_STORE_CTX_get_error.3 17 Nov 2021 16:08:32 -0000 1.20 +++ man/X509_STORE_CTX_get_error.3 22 Jan 2022 10:11:11 -0000 @@ -509,6 +509,13 @@ A name constraint violation occurred in No name constraints minimum and maximum not supported A certificate name constraints extension included a minimum or maximum field: this is not supported. +.It Dv X509_V_ERR_UNNESTED_RESOURCE : \ + RFC 3779 resource not subset of parent's resources +When walking up a certificate chain, all resources specified in +RFC 3779 extensions must be contained in the resources delegated in +the issuer's RFC 3779 extensions. +The error indicates that this is not the case or that the leaf tries +to inherit resources that the trust anchor itself inherits. .It Dv X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE : \ No unsupported name constraint type An unsupported name constraint type was encountered.
