Cargo uses curl-rust and git2-rs (which uses curl-rest as well).
Unfortunately, git2-rs calls openssl_probe::init_ssl_cert_env_vars()
unconditionally which breaks the process environment by setting an invalid
value for SSL_CERT_DIR and then the system default truststore is circumvented,
resulting in certificate validation errors even if certlctl(8) manages
everything nicely.
Upstream issues: