I was trying to use docker rootless with rootlesskit and I identified why x509 certificates were not being loaded (and therefore not allowing me to pull docker images). The rootlesskit command is run with --copy-up=/etc --copy-up=/run which on my system the x509 certificates are symlinked:

/etc/ssl/
├── ca-bundle.pem -> ../../var/lib/ca-certificates/ca-bundle.pem
├── certs -> ../../var/lib/ca-certificates/pem
├── certs.old -> ../../var/lib/ca-certificates/pem
└── ...

But those links are broken when running inside the rootless child:

/etc/
├── ...
├── .ro780432485
│   ├── ssl
│   │   ├── ca-bundle.pem -> ../../var/lib/ca-certificates/ca-bundle.pem
│   │   ├── certs -> ../../var/lib/ca-certificates/pem
│   │   ├── certs.old -> ../../var/lib/ca-certificates/pem
│   │   └── ...
├── ...
├── ssl -> .ro780432485/ssl
└── ...

I'm not sure if this is a known issue, but I didn't see it in the github issues and it took me awhile to debug the underlying issue (I lifted the docker pull code to try connecting to the docker registry until I narrowed down to the fact that the x509 certificates were not being loaded).

I'm slightly surprised to see a relative link to resolve /var/lib, but in general relative links should be supported and I assume this is not going to be a straightforward fix. If it might be I don't mind playing around with it and pushing a PR.