PE 2015.3 comes with an included curl binary located at /opt/puppetlabs/puppet/bin/curl.
Unlike the curl binary included with the Ubuntu operating system, the one included with PE does not honor the underlying operating system's SSL library. This means that no certificate is presented to our transparent HTTPS intercept/proxy, which in turn means that any external attempts made by the included curl over HTTPS, for example to https://forge.puppetlabs.com, fail with an SSL mismatch error.
Deleting the /opt/puppetlabs/puppet/bin/curl binary allows the one included with the OS to take over, which corrects this issue.
Puppet should rely on the OS' curl package by default, instead of coming bundled.