This is just another version of this question: Using openssl to get the certificate from a server

Or put more bluntly:

Using curl –cert is wrong, it is for client certificates.

First, get the the certs your server is using:

$ echo quit | openssl s_client -showcerts -servername server -connect server:443 > cacert.pem

(-servername is necessary for SNI so that you get the right virtual server’s certificate back)

Then make your curl command line use that set to verify the server in subsequent operations:

$ curl --cacert cacert.pem https://server/ [and the rest]

special teaser

Starting with curl 7.88.0 (to be shipped in February 2023), curl can save the certificates itself with the new %{certs} variable for the -w option. Blogged about here.