revert setting --insecure to download ca-certificates

[EricFromCanada]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

Previously, adding --insecure was necessary for curl to download the ca-certificates .pem file on older macOS versions. At some point since then, the introduction of all: bottles allowed those macOS versions to instead download a bottle for ca-certificates from GitHub, which happens to allow stock curl on macOS 10.11 & 10.12 (curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8) to download it during installation without needing --insecure.

This would have gone unnoticed, except that now adding --insecure actively prevents downloading from servers whose certificates rely on SNI because of a quirk of Secure Transport:

$ /usr/bin/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.4.6-25-gf597978\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 10.12.6\)\ curl/7.54.0 --header Accept-Language:\ en --fail --retry 3 --insecure --remote-time --output /Users/vmadmin/Library/Caches/Homebrew/downloads/4080d87775c0373afc13f3d24afaa24bdbbec40879ce7e9c09896f1ab36e5259--cacert-2024-09-24.pem.incomplete --location https://curl.se/ca/cacert-2024-09-24.pem --http1.1 --verbose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.1.91...
* TCP_NODELAY set
* Connected to curl.se (151.101.1.91) port 443 (#0)
* WARNING: disabling hostname validation also disables SNI.
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: n.sni-347-default.ssl.fastly.net
* Server certificate: GlobalSign Atlas R3 DV TLS CA 2024 Q4
* Server certificate: GlobalSign
> GET /ca/cacert-2024-09-24.pem HTTP/1.1
> Host: curl.se
> User-Agent: Homebrew/4.4.6-25-gf597978 (Macintosh; Intel Mac OS X 10.12.6) curl/7.54.0
> Accept: */*
> Accept-Language: en
> 
* The requested URL returned error: 421 Misdirected Request
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (22) The requested URL returned error: 421 Misdirected Request

This doesn't affect macOS 10.13 and later, whose curl uses LibreSSL (curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0).

Removing the code for adding --insecure to download ca-certificates allows fresh installs on macOS 10.11 & 10.12 to work again, which now only need the flag when downloading API *.json files from GitHub.

(This also removes a long-forgotten --insecure reference in vendor-install.sh.)

Before:

==> Fetching ca-certificates
==> Downloading https://ghcr.io/v2/homebrew/core/ca-certificates/manifests/2024-09-24
########################################################################################################################### 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/ca-certificates/blobs/sha256:212f2576348d5f5797d8d3905eb70d0d9bf8829345bce9e20e2f
Warning: Using `--insecure` with curl to download an updated certificates file because we need it to run `brew install curl` in order to download securely from now on. Checksums will still be verified.

curl: (22) The requested URL returned error: 421 Misdirected Request
Error: curl: Failed to download resource "ca-certificates"
Download failed: https://ghcr.io/v2/homebrew/core/ca-certificates/blobs/sha256:212f2576348d5f5797d8d3905eb70d0d9bf8829345bce9e20e2fd0336f344648
Error: 'curl' must be installed and in your PATH!

After:

==> Fetching ca-certificates
==> Downloading https://ghcr.io/v2/homebrew/core/ca-certificates/manifests/2024-09-24
Already downloaded: /Users/vmadmin/Library/Caches/Homebrew/downloads/338dad7c2ff7c822cda7c417944521589856741c0fbd7a7f07b88a18d7fb7e05--ca-certificates-2024-09-24.bottle_manifest.json
==> Downloading https://ghcr.io/v2/homebrew/core/ca-certificates/blobs/sha256:212f2576348d5f5797d8d3905eb70d0d9bf8829345bce9e20e2f
########################################################################################################################### 100.0%

[MikeMcQuaid]

Great news, thanks @EricFromCanada!