Что случилось с curl --cacert на самозаверяющих сертификатах между 7.47.0 и 7.58.0?

Question

У меня есть https-сервер с самозаверяющим сертификатом, который мне нравится использовать curl --cacert cert.pem от Ubuntu Xenial и Ubuntu Bionic.Ксениал работает.Бионика нет.

Вот мой минимальный репродуктор:

for distribution in xenial bionic; do
    docker image build --tag curl-openssl:${distribution} --file - $(mktemp -d) <<EOF
FROM ubuntu:${distribution}
RUN apt-get -qy update && apt-get -qy install curl openssl
EOF
    docker container run -i --rm curl-openssl:${distribution} sh <<EOF
openssl version
curl --version
openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null \
    | sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p" \
    >cert.pem
curl -sS --cacert cert.pem https://example.com >/dev/null
EOF
done

Вот как это выглядит при запуске:

Sending build context to Docker daemon  1.614kB
Step 1/2 : FROM ubuntu:xenial
 ---> 9361ce633ff1
Step 2/2 : RUN apt-get -qy update && apt-get -qy install curl openssl
 ---> Using cache
 ---> a2adb354b7f2
Successfully built a2adb354b7f2
Successfully tagged curl-openssl:xenial
OpenSSL 1.0.2g  1 Mar 2016
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
Sending build context to Docker daemon  1.583kB
Step 1/2 : FROM ubuntu:bionic
 ---> 94e814e2efa8
Step 2/2 : RUN apt-get -qy update && apt-get -qy install curl openssl
 ---> Using cache
 ---> 92ed1418e85e
Successfully built 92ed1418e85e
Successfully tagged curl-openssl:bionic
OpenSSL 1.1.1  11 Sep 2018
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.