I did a docker install for 18.04 and did not install ca-certificates and got the error but after I installed that, it worked:
root@90bac59391ee:/# echo | openssl s_client -connect downloads.rclone.org:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:CN = downloads.rclone.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgISA4DyqFwaXJRtpDcfBQFCIcMaMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MDUwODI1MjNaFw0yMTEyMDQwODI1MjJaMB8xHTAbBgNVBAMT
FGRvd25sb2Fkcy5yY2xvbmUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
2GvIuLvh0w/6Y+1Ss8olwJcDKDIIroKbTaD3eymnv5HWRTkq+bipZSmZNkSIFvj4
9Mg1s6FP/OVaKeZSb4ZPiKOCAk0wggJJMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
7T9FBt7uEuuDNYC4ETQ5dg2DDEUwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
VR0RBBgwFoIUZG93bmxvYWRzLnJjbG9uZS5vcmcwTAYDVR0gBEUwQzAIBgZngQwB
AgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
ZW5jcnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQCUILwejtWNbIhz
H4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXu1RtY5AAAEAwBGMEQCICn25ZijHUjU
geUWuZbc7xl4aKQP4e3341D5VLIBxS6XAiAyuaqpDLv9inXPiK/gfewmUyGtVbk8
9LBlV/IuNpTuFwB1AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAAB
e7VG1mEAAAQDAEYwRAIgYRjae9Qc7gA5xave/ejs0Ufc5aZAWtAZ6v4sGwD2WRsC
IHtbNhUpvrSwHiZG0wCZvzqU749AXkRpBxEOK9Bi1GF5MA0GCSqGSIb3DQEBCwUA
A4IBAQCJKRej5oRYhYo3UVcv/4sQ2WTNk5V+1ZHrbBZj9KLcJDfBTksryu01vvR1
fpH/LTkQTUHnTA+J7dOfqtlM+QFwFliAzK8rAje3qLIjyMQLKRQR1+bWjD7YDVnW
ZpycVAbpTGP1R7mz6S5mFVBeqV529ZWBGyRLb2/pH7uWgmxcDRW8l/xlWSbobibf
gjy6GN+FvHq8Qx/p575QBpe4SHwDcntKWGpExav3RTQTOT5lHc2YjVP51MWU5Fuf
3Ap8YsLOn6QThbL7K0Ij5d0ptocsH5cqDytDhx4lOa/oQfZ/sTz+nV2577liRAX6
afrGpkQf6aYlqKRTYjmEBtX394Y1
-----END CERTIFICATE-----
subject=CN = downloads.rclone.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4176 bytes and written 386 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: 23CF0AF6E2B37CC37F0875B8764C3D7284F8036F9816843076571C3F9904CFB1
Session-ID-ctx:
Resumption PSK: EC44CCF71DC30DE7B7B3955CEAC77F38710E550B993502E7F1569D1F341172EB
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - 61 1f c3 10 36 1a 07 e4-f4 9a ab c9 26 09 dd 32 a...6.......&..2
0010 - e9 77 0f f8 62 5e 27 39-0f 11 01 73 5d 09 f1 81 .w..b^'9...s]...
0020 - 36 6c c6 98 d2 d7 7f 3c-67 03 0a cc 73 78 8a 9b 6l.....<g...sx..
0030 - fe ac 18 88 5b 9b 48 78-fb da 2e 60 d3 9f e2 43 ....[.Hx...`...C
0040 - fa d3 4a 45 79 c3 ac 79-db 71 92 95 a2 bc 00 f6 ..JEy..y.q......
0050 - 4f 1b 23 c7 9a 36 e0 74-95 b0 b4 08 81 03 16 18 O.#..6.t........
0060 - 7f ec 7b 9e 34 4a 62 5d-0b 94 a7 6b 28 91 a7 db ..{.4Jb]...k(...
0070 - 75 u
Start Time: 1634916993
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
DONE
root@90bac59391ee:/#
root@90bac59391ee:/#
root@90bac59391ee:/#
root@90bac59391ee:/# apt install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ca-certificates
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 145 kB of archives.
After this operation, 388 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports bionic-updates/main arm64 ca-certificates all 20210119~18.04.2 [145 kB]
Fetched 145 kB in 0s (2099 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package ca-certificates.
(Reading database ... 4629 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119~18.04.2_all.deb ...
Unpacking ca-certificates (20210119~18.04.2) ...
Setting up ca-certificates (20210119~18.04.2) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/aarch64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/aarch64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/aarch64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/local/lib/site_perl /usr/lib/aarch64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype
Updating certificates in /etc/ssl/certs...
128 added, 0 removed; done.
Processing triggers for ca-certificates (20210119~18.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@90bac59391ee:/# echo | openssl s_client -connect downloads.rclone.org:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = downloads.rclone.org
verify return:1
---
Certificate chain
0 s:CN = downloads.rclone.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgISA4DyqFwaXJRtpDcfBQFCIcMaMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MDUwODI1MjNaFw0yMTEyMDQwODI1MjJaMB8xHTAbBgNVBAMT
FGRvd25sb2Fkcy5yY2xvbmUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
2GvIuLvh0w/6Y+1Ss8olwJcDKDIIroKbTaD3eymnv5HWRTkq+bipZSmZNkSIFvj4
9Mg1s6FP/OVaKeZSb4ZPiKOCAk0wggJJMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
7T9FBt7uEuuDNYC4ETQ5dg2DDEUwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
VR0RBBgwFoIUZG93bmxvYWRzLnJjbG9uZS5vcmcwTAYDVR0gBEUwQzAIBgZngQwB
AgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
ZW5jcnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQCUILwejtWNbIhz
H4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXu1RtY5AAAEAwBGMEQCICn25ZijHUjU
geUWuZbc7xl4aKQP4e3341D5VLIBxS6XAiAyuaqpDLv9inXPiK/gfewmUyGtVbk8
9LBlV/IuNpTuFwB1AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAAB
e7VG1mEAAAQDAEYwRAIgYRjae9Qc7gA5xave/ejs0Ufc5aZAWtAZ6v4sGwD2WRsC
IHtbNhUpvrSwHiZG0wCZvzqU749AXkRpBxEOK9Bi1GF5MA0GCSqGSIb3DQEBCwUA
A4IBAQCJKRej5oRYhYo3UVcv/4sQ2WTNk5V+1ZHrbBZj9KLcJDfBTksryu01vvR1
fpH/LTkQTUHnTA+J7dOfqtlM+QFwFliAzK8rAje3qLIjyMQLKRQR1+bWjD7YDVnW
ZpycVAbpTGP1R7mz6S5mFVBeqV529ZWBGyRLb2/pH7uWgmxcDRW8l/xlWSbobibf
gjy6GN+FvHq8Qx/p575QBpe4SHwDcntKWGpExav3RTQTOT5lHc2YjVP51MWU5Fuf
3Ap8YsLOn6QThbL7K0Ij5d0ptocsH5cqDytDhx4lOa/oQfZ/sTz+nV2577liRAX6
afrGpkQf6aYlqKRTYjmEBtX394Y1
-----END CERTIFICATE-----
subject=CN = downloads.rclone.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4177 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: E67CE39CFCCDFA44E878B9B6C0A3D9CCA58D124B6C77D284E798E94D421122F2
Session-ID-ctx:
Resumption PSK: 06F16A9DF5C6914E1CA96B582A2F3C66E5D9FB8757BCE576A42DCB8E1DCFA29D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - 61 1f c3 10 36 1a 07 e4-f4 9a ab c9 26 09 dd 32 a...6.......&..2
0010 - d0 4a c0 f3 b6 ae 76 71-a3 d7 88 a2 94 92 dd 97 .J....vq........
0020 - 35 a3 d8 db 99 f6 8d 6b-48 60 92 0a a5 bf 3b 02 5......kH`....;.
0030 - d2 df 1a 1e 50 37 0a 7f-ab d2 db 3b 9d 32 f3 ed ....P7.....;.2..
0040 - 9c 98 29 6a ad 67 3b 5d-fe 38 8a e2 bc 5d c8 31 ..)j.g;].8...].1
0050 - ed 6f dd 13 7e f6 04 9a-dc 8e 83 57 ee dd 99 6d .o..~......W...m
0060 - 11 a1 c2 fc 89 61 1c 27-ca 49 fc 6f af bc 42 4c .....a.'.I.o..BL
0070 - 13 .
Start Time: 1634917064
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
DONE
root@90bac59391ee:/#