Turns out ca_file is the only way to make validation work. Creating a new X509 cert object out of the CA file only grabs one of the certificates, not the entire chain. Without the rest of the intermediate certs in the chain, verification fails on any machine that doesn't already have those certs.
Prior to this patch, if there was an error posting a gist, the command just exited silently.
Conflicts: gist lib/gist.rb