That is what I'm doing for pkl project resolve, but I get the SSL handshake error with formae eval main.pkl. I've even tried update-ca-certificates to update the system ca store and formae doesn't seem to use them. I'm using the formae docker image.

Sorry, to add some context, our corporate security implementation breaks TLS with an intentional man-in-the-middle attack to ensure we're not doing something nefarious on the internet. This breaks nearly every tool that tries to actually prevent this very behavior. I constantly play whack-a-mole with trying to get our CA cert in the correct place. I've tried updating the system cacerts, and for whatever reason, Pkl still choked on the self-signed cert, and I had to use the .pkl/cacerts. So, yes, I think you are correct about the system certs, but I'll take any functional approach so I can test out the tool.