Curl not recognizing /etc/ssl/certs

Hi there,

Is it normal that default curl installation do not recognize the /etc/ssl/certs dir?
Cause if i try

curl -v https://my.route-rdomain.net

I get the error "BADCERT_NOT_TRUSTED"

But if i try

curl --capath /etc/ssl/certs -v https://my.route-rdomain.net
# or
curl --cacert /etc/acme/my.router-domain.net_ecc/ca.cer -v https://my.route-rdomain.net
# or
SSL_CERT_DIR=/etc/ssl/certs curl -v https://my.route-rdomain.net

I get a normal response...

If not already seen i am using a let's encrypt certificate and my router domain has an hostname entry to 192.168.1.1 (could be this the problem?). The verification was done by a dns entry cause luci is not public available.

However, i also tried to put the ca.pem from the acme folder to the trusted store at /etc/ssl/certs but curl is it only recognizing if i set the path somehow.

So my question is, is this behaviour expected? Oo
I use a default firmware from the firmware selector so no special build.

cheers
Christopher

Install strace then run
strace curl https://my.route-rdomain.net 2>&1 | grep open

At the end of the output you should see where the program was looking for the certs. For example:
open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_LARGEFILE) = 6

Hmm it looks like my letsencrypt cert is not in the trusted chain if i'm not wrong...

[root@l][~] # strace curl https://l.ies4-7.net 2>&1 | grep open
openat(AT_FDCWD, "/etc/ld-musl-aarch64.path", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/libcurl.so.4", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/lib/libcurl.so.4", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libcurl.so.4", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/libnghttp2.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/lib/libnghttp2.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnghttp2.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/libmbedtls.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/lib/libmbedtls.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libmbedtls.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/libmbedx509.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/lib/libmbedx509.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libmbedx509.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/libmbedcrypto.so.7", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/lib/libmbedcrypto.so.7", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libmbedcrypto.so.7", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/libgcc_s.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/root/.curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/root/.config/curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/root/.curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 5
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 5
openat(AT_FDCWD, "/dev/urandom", O_RDONLY|O_LARGEFILE) = 6
openat(AT_FDCWD, "/dev/urandom", O_RDONLY|O_LARGEFILE) = 6
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_LARGEFILE) = 6

[root@l][~] # curl -vvv https://my.router-domain.net/
* Cert verify failed: BADCERT_NOT_TRUSTED
curl: (60) Cert verify failed: BADCERT_NOT_TRUSTED
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

ok, so i tried to put the acme created ca.crt from /etc/acme/my.router-domain_ecc/ca.crt into trusted state like described in https://openwrt.org/docs/guide-user/services/tls/pki

But without any luck