Unable to use TLS client certificate

I use restic 0.16.0 and restic-rest-server 0.12.1 behind nignx.

I have setup nginx so it requires a client certificate as such:

curl --cert client.pem --key client.key https://restic.local/home

works.

However this fail:

restic --tls-client-cert client.pem -r rest:https://restic.local/home snapshots
Fatal: parse TLS client cert or key: tls: failed to find any PEM data in key input

My cert.pem looks like:

Bag Attributes
    localKeyID: 5B B4 B1 EE 1F DF 5F D8 43 E0 D2 9E 37 3D 3F F8 C9 B3 99 CC 
subject=/C=FR/ST=France...
issuer=/ST=France...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: 5B B4 B1 EE 1F DF 5F D8 43 E0 D2 9E 37 3D 3F F8 C9 B3 99 CC 
Key Attributes: <No Attributes>

I generate it through:

#!/usr/bin/env bash
set -xeuo pipefail

if [ $# -ne 2 ];
then
  echo "Usage: $0 SERVICE USER"
  exit 2
fi

SERVICE=$1
USER=$2
CRT_DIR=client/generated/$SERVICE/$USER
CA_DIR=client/generated/$SERVICE/ca
REQ_DIR=client/requests
COMMON_NAME="${USER} client cert for ${SERVICE} ($(date --utc +"%Y-%m-%dT%H:%M:%SZ"))"

mkdir -p "$CRT_DIR"

# Create a new certificate
openssl req \
  -new \
  -nodes \
  -newkey rsa:4096 \
  -config "$CRT_DIR/client.conf" \
  -keyout "$CRT_DIR/client.key" \
  -out "$CRT_DIR/client.csr"

# Sign it with our CA
openssl ca \
  -config "$CA_DIR/ca.conf" \
  -cert "$CA_DIR/ca.crt" \
  -keyfile "$CA_DIR/ca.key" \
  -out "$CRT_DIR/client.crt" \
  -infiles "$CRT_DIR/client.csr"

# Export client key
openssl pkcs12 \
  -export \
  -clcerts \
  -in "$CRT_DIR/client.crt" \
  -inkey "$CRT_DIR/client.key" \
  -out "$CRT_DIR/client.p12"
openssl pkcs12 \
  -clcerts \
  -in "$CRT_DIR/client.p12" \
  -out "$CRT_DIR/client.pem"

echo "Browser key: $PWD/$CRT_DIR/client.p12"
echo "PEM key: $PWD/$CRT_DIR/client.pem"

What am I missing?
Thanks.

Actually, I had to craft a PEM file with the certificate and the private key:

cat client.crt client.key > full.pem

That makes sense, the --help entry for the --tls-client-cert flag mentions it needs a combined key/certificate file.

A quick scan of the rest repository setup part of the docs suggests --cacert might have worked with just the certificate file.