Looks like the difference is that the image that we're getting from maas uses NSS 3.15, which defaults to disabling TLS 1.1 and 1.2. you can fix the command to work correctly by adding --tlsv1 --ciphers ecdhe_rsa_aes_256_sha to the curl command. The version on GCE's CentOS7 uses NSS 3.19. (in 3.18 they enabled tls 1.1 and 1.2 by default).
Looks like the difference is that the image that we're getting from maas uses NSS 3.15, which defaults to disabling TLS 1.1 and 1.2. you can fix the command to work correctly by adding --tlsv1 --ciphers ecdhe_rsa_ aes_256_ sha to the curl command. The version on GCE's CentOS7 uses NSS 3.19. (in 3.18 they enabled tls 1.1 and 1.2 by default).