cURL and self signed certificates on FreeBSD 13

Symptom

cURL cannot verify the remote server's certificate, e.g. because it is self signed or signed by an unknown CA:

$ curl https://my.webserver.internal/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Insecure solution

$ curl -k https://my.webserver.internal/

Secure suggestion

1. Recompile cURL without the CA_BUNDLE option:

   # make -C /usr/ports/ftp/curl config
   # make -C /usr/ports/ftp/curl
   # make -C /usr/ports/ftp/curl deinstall reinstall clean
   

2. Place your CA's root certificate to /usr/local/share/certs. Make sure its filename ends with .pem.
3. Rehash /etc/ssl/certs with certctl:

   # certctl -v rehash
   

Background

If cURL has been compiled with CA_BUNDLE set, it verifies any remote server against /usr/local/share/certs/ca-root-nss.crt only.