GKE access failed via reqwest

Cargo.toml

[package]
name = "test_gke_cert"
version = "0.1.0"
authors = ["David Bernard"]
edition = "2018"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
openssl = { version = "^0.10", features = ["vendored"] }
tokio = { version = "^0.2.5", features = ["full"]}
# curl = "0.4.25" # ok
# curl = {version = "0.4.25", features = ["static-ssl"] } # ok
curl = {version = "0.4.25", features = ["mesalink"] } # ok
# curl = {version = "0.4.25", features = ["static-curl"] } # failed
# curl = {version = "0.4.25", features = ["static-curl", "mesalink"] } # failed
# curl = {version = "0.4.25", features = ["static-curl", "static-ssl"] } # failed

[dependencies.reqwest]
#version = "0.10.0"
# version = " 0.10.0-alpha.2"
git = "https://github.com/seanmonstar/reqwest"
rev = "18fd9a63b0eb7bf51d2e2b7fe31b4567f0b05779"
features = ["json", "gzip", "rustls-tls"]
# features = ["rustls-tls"]
# # TODO: rustls

main.rs

// Mac OSX (Catalina 10.15.2):
// ```
// --- with curl ---
// {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/\"","reason":"Forbidden","details":{},"code":403}
// [src/main.rs:51] main_with_curl().await = Ok(
//     (),
// )
// --- with reqwest ---
// [src/main.rs:53] main_with_reqwest().await = Err(
//     reqwest::Error {
//         kind: Request,
//         url: "https://35.232.6.83/",
//         source: hyper::Error(
//             Connect,
//             Error {
//                 code: -67843,
//                 message: "The certificate was not trusted.",
//             },
//         ),
//     },
// )
// ```
//
// Linux:
// ```
// Response {
//     url: "https://35.232.6.83/",
//     status: 403,
//     headers: {
//         "audit-id": "83ac14e8-8beb-4456-b495-35c81ba9b348",
//         "content-type": "application/json",
//         "x-content-type-options": "nosniff",
//         "date": "Sat, 21 Dec 2019 18:21:52 GMT",
//         "content-length": "185",
//     },
// }
///```
///

const SERVERAPI_URL: &str = "https://35.232.6.83";
const CACERT_PEM: &str = r#"
-----BEGIN CERTIFICATE-----
MIIDDDCCAfSgAwIBAgIRANMRvVXXaTbXyxpbqXtlgyEwDQYJKoZIhvcNAQELBQAw
LzEtMCsGA1UEAxMkMzg1NTM1MzEtOTgwNS00NzcwLTllMzItMmY1MmM1NDU3NWY4
MB4XDTE5MTIxOTA3NTM1OVoXDTI0MTIxNzA4NTM1OVowLzEtMCsGA1UEAxMkMzg1
NTM1MzEtOTgwNS00NzcwLTllMzItMmY1MmM1NDU3NWY4MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAmX8Eg6r6tygSiIM3nMS4VwnYoXrrIuixlCGqsI4L
sw5j9oTslbNvsOjfFnRGyMK6wPm7x/htMC5B44Jyh2BedZbfcp7WXZJr7Dq/9SgR
/TPZmb1GwqVvqfE4RmzwK6wcaMSEkF/mqc9+IWiEpmMRmkdsvj2/8fydQM2+Wj8y
qSzaIgMopsaNuA4EWIKABeQH8vzIMjiEsvSpGDRRF14G6OMeCUypa780HCUwNKkc
BaAUc1VzAcQYTNzx78Y4IZCJjkwtBfKYWUibIWWeJaDAzNEbYGeBNtc6/kbvUuCL
VmibQ5+Qo6kgjchElRECZU4dhz8FKOMWh3YFyNpE7hZqrwIDAQABoyMwITAOBgNV
HQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA
b0qhFcv4LriftJrB5RX0XHjEjGiEirv4Xq9rUgGOTYGnrtKtqu7DPIoZagYgByTX
VnpqGJczQ/ZGZyAeE502uH6np6ftmQi98NFNe5W7btv/U4ZHN8VzQ2+77uBw/orY
YuVKNMMcc+CfO8pX2rv8Z4YUUvBz3/YO9h5K1IBjXuLCI+PM6+2OMFfaoSI0Iz8q
sazWeeT8orW1/LdJMokCkGqgPZC8X15j2/E6YlzPeebAQK/QgpMYg9XoHWJcuhSx
RgGI71iQAaYoBYSxSgV2cteECEiJlMoInkU0HCX7JlZlR/ypZl+ybPFVQigsAfpu
o098cHJLzIFII9icY8n1dQ==
-----END CERTIFICATE-----
"#;

#[tokio::main]
async fn main() {
    println!("--- with curl ---");
    dbg!(main_with_curl().await);
    println!("--- with reqwest ---");
    dbg!(main_with_reqwest().await);
}

async fn main_with_reqwest() -> Result<(), Box<dyn std::error::Error>> {
    use openssl::x509::X509;
    // use reqwest;

    let ca = X509::from_pem(CACERT_PEM.as_bytes())?;
    let cert = reqwest::Certificate::from_der(&ca.to_der()?)?;
    // dbg!(&ca.subject_name());
    // dbg!(&ca.subject_name());
    // dbg!(&cert);
    let mut client_builder = reqwest::Client::builder();
    client_builder = client_builder
        .add_root_certificate(cert)
        // .danger_accept_invalid_certs(true)
        ;
    let client = client_builder.build()?;
    let resp = client.get(SERVERAPI_URL).send().await?;
    println!("{:#?}", resp);
    Ok(())
}

// curl -i -v https://35.232.6.83 --cacert ./cert3.x509.crt
async fn main_with_curl() -> Result<(), Box<dyn std::error::Error>> {
    use curl::easy::Easy;
    use std::io::{stdout, Write};

    // Write the contents of rust-lang.org to stdout
    let mut easy = Easy::new();
    let cacert = std::path::Path::new("ca.x509.crt");
    std::fs::write(cacert, CACERT_PEM)?;
    easy.cainfo(cacert)?;
    easy.url(SERVERAPI_URL)?;
    easy.write_function(|data| {
        stdout().write_all(data).unwrap();
        Ok(data.len())
    })?;
    easy.perform()?;
    Ok(())
}

via_curl.sh

cat >ca.x509.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIDDDCCAfSgAwIBAgIRANMRvVXXaTbXyxpbqXtlgyEwDQYJKoZIhvcNAQELBQAw
LzEtMCsGA1UEAxMkMzg1NTM1MzEtOTgwNS00NzcwLTllMzItMmY1MmM1NDU3NWY4
MB4XDTE5MTIxOTA3NTM1OVoXDTI0MTIxNzA4NTM1OVowLzEtMCsGA1UEAxMkMzg1
NTM1MzEtOTgwNS00NzcwLTllMzItMmY1MmM1NDU3NWY4MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAmX8Eg6r6tygSiIM3nMS4VwnYoXrrIuixlCGqsI4L
sw5j9oTslbNvsOjfFnRGyMK6wPm7x/htMC5B44Jyh2BedZbfcp7WXZJr7Dq/9SgR
/TPZmb1GwqVvqfE4RmzwK6wcaMSEkF/mqc9+IWiEpmMRmkdsvj2/8fydQM2+Wj8y
qSzaIgMopsaNuA4EWIKABeQH8vzIMjiEsvSpGDRRF14G6OMeCUypa780HCUwNKkc
BaAUc1VzAcQYTNzx78Y4IZCJjkwtBfKYWUibIWWeJaDAzNEbYGeBNtc6/kbvUuCL
VmibQ5+Qo6kgjchElRECZU4dhz8FKOMWh3YFyNpE7hZqrwIDAQABoyMwITAOBgNV
HQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA
b0qhFcv4LriftJrB5RX0XHjEjGiEirv4Xq9rUgGOTYGnrtKtqu7DPIoZagYgByTX
VnpqGJczQ/ZGZyAeE502uH6np6ftmQi98NFNe5W7btv/U4ZHN8VzQ2+77uBw/orY
YuVKNMMcc+CfO8pX2rv8Z4YUUvBz3/YO9h5K1IBjXuLCI+PM6+2OMFfaoSI0Iz8q
sazWeeT8orW1/LdJMokCkGqgPZC8X15j2/E6YlzPeebAQK/QgpMYg9XoHWJcuhSx
RgGI71iQAaYoBYSxSgV2cteECEiJlMoInkU0HCX7JlZlR/ypZl+ybPFVQigsAfpu
o098cHJLzIFII9icY8n1dQ==
-----END CERTIFICATE-----
EOF
openssl x509 -in ca.x509.crt -noout -text
curl -i -v https://35.232.6.83 --cacert ./ca.x509.crt