Ok, problem solved. The problem is due to this being run inside a Kubernetes pod. Our base image is Alpine, which doesn’t include the root certs, apparently.
When I installed curl in the pod to test, it installed the ca-certificates package. This made curl work, but the Go code is an http server that doesn’t die. It won’t load the new certs unless the process is restarted, which would cause a pod restart.
Once I added apt-get install ca-certificates in the Dockerfile, the call worked. Thanks for looking at it, @nate.barbettini!