Ensure cpanm downloads modules over HTTPS

[dgl]

Currently cpanminus defaults to using http, it doesn't know enough about the environment it is in for that to be possible to change (yet). Note that cpm does use HTTPS by default, so it's a potentially surprising difference depending which package manager is picked.

However, this image knows it has ca-certificates and a way to download over HTTPS, so it can default the mirror to the HTTPS version of the default URL. This is roughly following the suggestion from https://github.com/miyagawa/cpanminus/issues/611#issuecomment-648642186 -- except using only --mirror and without the --verify part.

If Module::Signature was installed it would be possible to add --verify too, although there is a chain of trust issue there as well as needing more tools in the image (gpg), unless we also use the approach in #163 for Module::Signature and its deps.

tl;dr: This is the most minimal change that I think slightly raises the security bar.