When using our Http2Client to communication with public API with CA-signed certificates, we have to find a way to download the certificate from the site and put it into our client.truststore file in order to establish TLS connection to the site if you cannot get the certificate from the right channel.
There are multiple options to do that, and the simple one is from the browser; however, the certificate downloaded from the browser might not be completed as we need the entire chain to verify the certificate during the handshake.
Please note that download client certificate might not work all the time as the server might be behind a proxy which has its certificate and the proxy is set up as TLS passthrough. In that case, the certificate downloaded is for the proxy server and the real server will reject your certificate during the handshake. This happens with most Kubernetes cluster or OpenShift cluster.