Chef Infra Client version 15.4.45
Similar to https://github.com/chef/chef/issues/5944
The chef_gem resource currently only respects custom/private certs when they are found in the chef-client embedded ssl certs bundle after having been added by the customer.
If the chef_gem resource trusted trusted_certs content, this would be better/cleaner than adding certs to the embedded chef-client location at /opt/chef/embedded/lib/ruby/site_ruby/2.5.0/rubygems/ssl_certs for example.
Here's what happens when no part of the chef-client runtime is aware of the additional cert
ERROR: SSL verification error at depth 2: self signed certificate in certificate chain (19)
ERROR: Root certificate is not trusted (/CN=CUSTOMER Group Root CA Proxy G2)