It turned out OS_CACERT has to be set when authentication is done with TLS-enabled server. Though, the CLI perhaps should not traceback in the backgroud anyway?