It seems, after running in verbose mode, that the (undocumented in the man page) default location for the trusted Root CA bundle is /etc/ssl/cert.pem which doesn't exist. I created a symlink to /usr/local/share/certs/ca-root-nss.crt and fetching from a URI whose method is HTTPS now works. -M