intrigeri: > the current code I have that does exactly this uses WWW::Curl > instead
As Ian requested, here is that code: https://git.tails.boum.org/perl5lib/tree/lib/Tails/Download/HTTPS.pm (note that this code is a bit more complicated than you want because IIRC it takes care of problems specific to upgrade systems, as defined in the TUF paper) To make this approach work, the Let's Encrypt (currently: intermediate) CA should be shipped in ca-certificates, be it trusted by default or elsewhere than in /etc/ssl/certs/.
