Missing CA certificates with libcurl4-nss-dev

[g2p]

On Ubuntu Lunar, when curl is built with NSS:

> sudo apt install libcurl4-nss-dev nss-plugin-pem
> cargo clean; cargo run --example https
Running `target/debug/examples/https`
Error: Error { description: "SSL peer certificate or SSH remote key was not OK", code: 60, extra: Some("Peer's Certificate issuer is not recognized.") }

Not necessarily a bug in curl-rust, but my starting point was https://github.com/Byron/gitoxide/issues/813 and I'm not sure where to forward the bug / where this should be fixed.

[g2p]

Reproducible on Debian bookworm (testing) as well (where libcurl4-nss-dev does pull nss-plugin-pem):

cat Dockerfile 
FROM docker.io/library/rust:1-slim-bookworm
RUN cargo search --limit 0
RUN apt update && apt -y install --no-install-recommends libcurl4-nss-dev git pkg-config libssl-dev
RUN git clone --depth 1 https://github.com/alexcrichton/curl-rust.git
RUN (set -e; cd curl-rust; cargo fetch)
RUN (set -e; cd curl-rust; cargo run --example https)

[g2p]

Filed here (using curl-rust for an easy reproduction): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034359