We need to do something to ensure that the certificates from certificate authorities (or CAs) that are available inside the container are kept synchronized with the host.

Normally, we'd do this by using symbolic links or bind mounts in /etc, but the layout of the files differs quite a bit across distributions. Debian uses /etc/ssl, Fedora uses /etc/pki and has /etc/ssl/certs as a symbolic link to /etc/pki/tls/certs, and so on. It's a mess.

Instead, we might have better luck using p11-kit [1], just as Flatpak does. p11-kit offers an uniform interface for accessing certificates stored on the file system, smart cards and so on. Normally, p11-kit looks up the certificates that are present on the host's file system. However, it can also be configured to forward all look-ups to a socket, and a p11-kit server ... instance on the other side does the look-ups and returns the results over the socket.

In our case, we need to start a p11-kit server ... instance on the host, configure the container to forward everything to it over the socket, and ensure that the socket is present at the right place.

Here are the Flatpak counterparts of this issue:
https://github.com/flatpak/flatpak/pull/1757
https://github.com/p11-glue/p11-kit/issues/68

[1] https://github.com/p11-glue/p11-kit