I've been trying to update the ca certificate bundle on my KPW3 without much success. Since it's still running 5.14.2, the certificate bundle is pretty old, and the device can't connect to any web servers that use Let's Encrypt certs anymore.

According to this post, I would need to update /etc/ssl/ca-certificates.crt and /usr/java/lib/security/cacerts, so I downloaded the latest (5.15.1.1) firmware image, extracted the rootfs squashfs image with kindletool, copied the two files from it and replaced the corresponding files on my KPW3 (ca-certificates.crt is a symlink to ca-certificates-prod.crt so I replaced ca-certificates-prod.crt instead).

I'm not quite sure how to test the updated java keystore, but the updated ca-certificates.crt doesn't seem to be working with openssl s_client ootb. The error message I get is "Verify return code: 20 (unable to get local issuer certificate)", and the experimental web browser can't establish a secure connection with anything that uses Let's Encrypt certs either. However, curl or wget seem to be able to pick it up without any issues, and openssl will give me "Verify return code: 0 (ok)" as well if I specify the CA file with -CAfile /etc/ssl/certs/ca-certificates.crt.

So the question is what am I missing here? Since the updated CA certificate bundle seem to work just fine if I explicitly tell openssl to use it, do I have a configuration issue? I've searched on this forum on this topic and wasn't able to find any concrete answers so far.

Note: This is my first post so apologies if there are any formatting issues. It would be great if someone can tell me if there's a way to do inline monospace text too.
I don't know if this is the case on kindles, but some browsers have their own certificate storage. so even if you update the operation system certs, it can't use those and has its own storage for certs. could it be that kindles browser is maybe having such a storage? especially since you mentioned that curl and wget works?
Yeah that could certainly be a possibility, but I'm struggling to find another cert store in the rootfs, so I'm hoping someone might have an idea on where the browser is reading the cert storage from.